IOC Report
file.exe

loading gif

Files

File Path
Type
Category
Malicious
file.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Temp\182349\Beginners.pif
PE32 executable (GUI) Intel 80386, for MS Windows
modified
malicious
C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js
ASCII text, with no line terminators
dropped
malicious
C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url
MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" >), ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Local\Temp\182349\l
SysEx File - Harmony
dropped
C:\Users\user\AppData\Local\Temp\Cause
SysEx File - Harmony
dropped
C:\Users\user\AppData\Local\Temp\Coral
data
dropped
C:\Users\user\AppData\Local\Temp\Correlation
data
dropped
C:\Users\user\AppData\Local\Temp\Edges
data
dropped
C:\Users\user\AppData\Local\Temp\Provision
data
dropped
C:\Users\user\AppData\Local\Temp\Res
data
dropped
C:\Users\user\AppData\Local\Temp\Shopper
data
dropped
C:\Users\user\AppData\Local\Temp\Sp
data
dropped
C:\Users\user\AppData\Local\Temp\Sunset
ASCII text, with very long lines (409), with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\Sunset.bat (copy)
ASCII text, with very long lines (409), with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\Wearing
data
dropped
C:\Users\user\AppData\Local\Temp\Zinc
data
dropped
C:\Users\user\AppData\Local\TradeOptimize Dynamics\z
SysEx File - Harmony
dropped
There are 9 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\file.exe
"C:\Users\user\Desktop\file.exe"
malicious
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat
malicious
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
malicious
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
malicious
C:\Windows\SysWOW64\cmd.exe
cmd /c md 182349
malicious
C:\Windows\SysWOW64\findstr.exe
findstr /V "RefundAlienConservativeChapters" Coral
malicious
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Cause + ..\Shopper + ..\Edges + ..\Zinc + ..\Correlation + ..\Wearing + ..\Provision + ..\Res l
malicious
C:\Users\user\AppData\Local\Temp\182349\Beginners.pif
Beginners.pif l
malicious
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit
malicious
C:\Windows\System32\wscript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js"
malicious
C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr
"C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\z"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
There are 6 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://www.autoitscript.com/autoit3/J
unknown
http://nsis.sf.net/NSIS_ErrorError
unknown
https://www.autoitscript.com/autoit3/
unknown

Domains

Name
IP
Malicious
bsQfWYzSEObgoEYPHvZYAafhPH.bsQfWYzSEObgoEYPHvZYAafhPH
unknown

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
JScriptSetScriptStateStarted

Memdumps

Base Address
Regiontype
Protect
Malicious
33F1000
heap
page read and write
93E000
stack
page read and write
86E000
heap
page read and write
86E000
heap
page read and write
2AC6000
heap
page read and write
84E000
heap
page read and write
87D000
heap
page read and write
4AE000
heap
page read and write
235111E0000
heap
page read and write
E0C000
heap
page read and write
E98000
heap
page read and write
3B11000
heap
page read and write
2410000
heap
page read and write
2DE6000
heap
page read and write
881000
heap
page read and write