Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1523781
MD5:	db7b43084f7a44e3290774e36d49ce41
SHA1:	1e1321a6e0c6f63b719daccdacbde4a10547021e
SHA256:	a6da6ca04ee56f1e10dc25c07f938300fff7b3c1b50abe925b5f2b10b084216b
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Search for Antivirus process

AI detected suspicious sample

Drops PE files with a suspicious file extension

Machine Learning detection for sample

Sigma detected: WScript or CScript Dropper

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

file.exe (PID: 2504 cmdline: "C:\Users\user\Desktop\file.exe" MD5: DB7B43084F7A44E3290774E36D49CE41)

cmd.exe (PID: 1368 cmdline: "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 3428 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 2872 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 824 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 2008 cmdline: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 2688 cmdline: cmd /c md 182349 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 5752 cmdline: findstr /V "RefundAlienConservativeChapters" Coral MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6640 cmdline: cmd /c copy /b ..\Cause + ..\Shopper + ..\Edges + ..\Zinc + ..\Correlation + ..\Wearing + ..\Provision + ..\Res l MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Beginners.pif (PID: 7092 cmdline: Beginners.pif l MD5: 18CE19B57F43CE0A5AF149C96AECC685)

cmd.exe (PID: 1900 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 5996 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

wscript.exe (PID: 2416 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

TradeHub.scr (PID: 1460 cmdline: "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\z" MD5: 18CE19B57F43CE0A5AF149C96AECC685)

cleanup

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" , ProcessId: 2416, ProcessName: wscript.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: Beginners.pif l, CommandLine: Beginners.pif l, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1368, ParentProcessName: cmd.exe, ProcessCommandLine: Beginners.pif l, ProcessId: 7092, ProcessName: Beginners.pif

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif, ProcessId: 7092, TargetFilename: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif, ProcessId: 7092, TargetFilename: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" , ProcessId: 2416, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 1900, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1368, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 2008, ProcessName: findstr.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Virustotal: Detection: 10%			Perma Link
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Virustotal: Detection: 10%			Perma Link

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 16%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.5% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_00114005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00114005
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_0011494A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_0011494A
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_00113CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00113CE2
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_0011C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_0011C2FF
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_0011CD14 FindFirstFileW,FindClose,	10_2_0011CD14
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_0011CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_0011CD9F
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_0011F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_0011F5D8
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_0011F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_0011F735
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_0011FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_0011FA36
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DC4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00DC4005
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DC494A GetFileAttributesW,FindFirstFileW,FindClose,	15_2_00DC494A
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DCC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_00DCC2FF
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DCCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	15_2_00DCCD9F
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DCCD14 FindFirstFileW,FindClose,	15_2_00DCCD14
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DCF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_00DCF5D8
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DCF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_00DCF735
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DCFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_00DCFA36
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DC3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00DC3CE2

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\182349\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\182349	Jump to behavior

Source: unknown

DNS traffic detected: query: bsQfWYzSEObgoEYPHvZYAafhPH.bsQfWYzSEObgoEYPHvZYAafhPH replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_001229BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

10_2_001229BA

Source: global traffic

DNS traffic detected: DNS query: bsQfWYzSEObgoEYPHvZYAafhPH.bsQfWYzSEObgoEYPHvZYAafhPH

Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: file.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000000.1687736473.0000000000179000.00000002.00000001.01000000.00000006.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr, 0000000F.00000002.3506982744.0000000000E29000.00000002.00000001.01000000.00000008.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Sp.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_00124830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		10_2_00124830
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DD4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		15_2_00DD4830

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_00124632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

10_2_00124632

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_0013D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		10_2_0013D164
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DED164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		15_2_00DED164

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_00114254: CreateFileW,DeviceIoControl,CloseHandle,

10_2_00114254

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_00108F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

10_2_00108F2E

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,	0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_00115778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	10_2_00115778
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DC5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	15_2_00DC5778

Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\AdoptionSections	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\AdvisorUsb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\ProminentSavings	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\ValuablePeninsula	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004074BB	0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000BB020	10_2_000BB020
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000B94E0	10_2_000B94E0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000B9C80	10_2_000B9C80
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000D23F5	10_2_000D23F5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_00138400	10_2_00138400
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000E6502	10_2_000E6502
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000E265E	10_2_000E265E
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000BE6F0	10_2_000BE6F0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000D282A	10_2_000D282A
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000E89BF	10_2_000E89BF
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_00130A3A	10_2_00130A3A
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000E6A74	10_2_000E6A74
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000C0BE0	10_2_000C0BE0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000DCD51	10_2_000DCD51
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_0010EDB2	10_2_0010EDB2
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_00118E44	10_2_00118E44
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_00130EB7	10_2_00130EB7
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000E6FE6	10_2_000E6FE6
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000D33B7	10_2_000D33B7
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000DF409	10_2_000DF409
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000CD45D	10_2_000CD45D
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000CF628	10_2_000CF628
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000B1663	10_2_000B1663
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000BF6A0	10_2_000BF6A0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000D16B4	10_2_000D16B4
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000D78C3	10_2_000D78C3
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000D1BA8	10_2_000D1BA8
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000DDBA5	10_2_000DDBA5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000E9CE5	10_2_000E9CE5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000CDD28	10_2_000CDD28
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000D1FC0	10_2_000D1FC0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000DBFD6	10_2_000DBFD6
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D6B020	15_2_00D6B020
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D694E0	15_2_00D694E0
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D69C80	15_2_00D69C80
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D823F5	15_2_00D823F5
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DE8400	15_2_00DE8400
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D96502	15_2_00D96502
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D6E6F0	15_2_00D6E6F0
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D9265E	15_2_00D9265E
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D8282A	15_2_00D8282A
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D989BF	15_2_00D989BF
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D96A74	15_2_00D96A74
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DE0A3A	15_2_00DE0A3A
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D70BE0	15_2_00D70BE0
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DBEDB2	15_2_00DBEDB2
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D8CD51	15_2_00D8CD51
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DE0EB7	15_2_00DE0EB7
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DC8E44	15_2_00DC8E44
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D96FE6	15_2_00D96FE6
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D833B7	15_2_00D833B7
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D7D45D	15_2_00D7D45D
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D8F409	15_2_00D8F409
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D816B4	15_2_00D816B4
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D6F6A0	15_2_00D6F6A0
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D61663	15_2_00D61663
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D7F628	15_2_00D7F628
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D878C3	15_2_00D878C3
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D81BA8	15_2_00D81BA8
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D8DBA5	15_2_00D8DBA5
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D99CE5	15_2_00D99CE5
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D7DD28	15_2_00D7DD28
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D8BFD6	15_2_00D8BFD6
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D81FC0	15_2_00D81FC0

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD

Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: String function: 00D71A36 appears 34 times
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: String function: 00D80D17 appears 70 times
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: String function: 00D88B30 appears 42 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004062A3 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: String function: 000C1A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: String function: 000D0D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: String function: 000D8B30 appears 42 times

Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameAutoIt3.exeB vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal92.expl.evad.winEXE@28/18@2/0

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_0011A6AD GetLastError,FormatMessageW,

10_2_0011A6AD

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_00108DE9 AdjustTokenPrivileges,CloseHandle,	10_2_00108DE9
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_00109399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	10_2_00109399
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DB8DE9 AdjustTokenPrivileges,CloseHandle,	15_2_00DB8DE9
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DB9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	15_2_00DB9399

Source: C:\Users\user\Desktop\file.exe

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_00114148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

10_2_00114148

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_0011443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

10_2_0011443D

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

File created: C:\Users\user\AppData\Local\TradeOptimize Dynamics

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4584:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\nsn1295.tmp

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

Virustotal: Detection: 16%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 182349
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "RefundAlienConservativeChapters" Coral
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Cause + ..\Shopper + ..\Edges + ..\Zinc + ..\Correlation + ..\Wearing + ..\Provision + ..\Res l
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Beginners.pif l
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\z"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 182349	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "RefundAlienConservativeChapters" Coral	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Cause + ..\Shopper + ..\Edges + ..\Zinc + ..\Correlation + ..\Wearing + ..\Provision + ..\Res l	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Beginners.pif l	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\z"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000D8B75 push ecx; ret	10_2_000D8B88
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000CCBDB push eax; retf	10_2_000CCBF8
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D88B75 push ecx; ret	15_2_00D88B88

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	File created: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	File created: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif			Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_001359B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	10_2_001359B3
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000C5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	10_2_000C5EDA
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DE59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	15_2_00DE59B3
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D75EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	15_2_00D75EDA

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_000D33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_000D33B7

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_10-100298

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	API coverage: 4.7 %
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	API coverage: 4.5 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_00114005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00114005
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_0011494A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_0011494A
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_00113CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00113CE2
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_0011C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_0011C2FF
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_0011CD14 FindFirstFileW,FindClose,	10_2_0011CD14
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_0011CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_0011CD9F
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_0011F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_0011F5D8
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_0011F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_0011F735
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_0011FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_0011FA36
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DC4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00DC4005
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DC494A GetFileAttributesW,FindFirstFileW,FindClose,	15_2_00DC494A
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DCC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_00DCC2FF
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DCCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	15_2_00DCCD9F
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DCCD14 FindFirstFileW,FindClose,	15_2_00DCCD14
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DCF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_00DCF5D8
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DCF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_00DCF735
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DCFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_00DCFA36
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DC3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00DC3CE2

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_000C5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

10_2_000C5D13

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\182349\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\182349	Jump to behavior

Source: Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: TradeHub.scr, 0000000F.00000002.3506788424.0000000000C73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_001245D5 BlockInput,

10_2_001245D5

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_000C5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_000C5240

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_000E5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

10_2_000E5CAC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_001088CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

10_2_001088CD

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000DA354 SetUnhandledExceptionFilter,	10_2_000DA354
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_000DA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_000DA385
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D8A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00D8A385
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00D8A354 SetUnhandledExceptionFilter,	15_2_00D8A354

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_00109369 LogonUserW,

10_2_00109369

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_000C5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_000C5240

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_00111AC6 SendInput,keybd_event,

10_2_00111AC6

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_001151E2 mouse_event,

10_2_001151E2

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 182349	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "RefundAlienConservativeChapters" Coral	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Cause + ..\Shopper + ..\Edges + ..\Zinc + ..\Correlation + ..\Wearing + ..\Provision + ..\Res l	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Beginners.pif l	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\z"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & echo url="c:\users\user\appdata\local\tradeoptimize dynamics\tradehub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & exit
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & echo url="c:\users\user\appdata\local\tradeoptimize dynamics\tradehub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & exit			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

10_2_001088CD

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_00114F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

10_2_00114F1C

Source: file.exe, 00000000.00000003.1665758727.0000000002B74000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003755000.00000004.00000800.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000000.1687565395.0000000000166000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Beginners.pif, TradeHub.scr	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_000D885B cpuid

10_2_000D885B

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_000F0030 GetLocalTime,__swprintf,

10_2_000F0030

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_000F0722 GetUserNameW,

10_2_000F0722

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

Code function: 10_2_000E416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

10_2_000E416A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: TradeHub.scr	Binary or memory string: WIN_81
Source: TradeHub.scr	Binary or memory string: WIN_XP
Source: TradeHub.scr	Binary or memory string: WIN_XPe
Source: TradeHub.scr	Binary or memory string: WIN_VISTA
Source: TradeHub.scr	Binary or memory string: WIN_7
Source: TradeHub.scr	Binary or memory string: WIN_8
Source: Sp.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_0012696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	10_2_0012696E
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif	Code function: 10_2_00126E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	10_2_00126E32
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DD696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	15_2_00DD696E
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr	Code function: 15_2_00DD6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	15_2_00DD6E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	11 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	17 System Information Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	111 Masquerading	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	4 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
file.exe