Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1458478
MD5: 814ff8b10d8641b03fcf1e9efc1005bf
SHA1: 25cb52ef822cf0077a11278d936569ed5f5d92d4
SHA256: 976137409e5d45839870a834b4b06bd46495a39d216bb0f31f1f0370fe1b5d94
Tags: exe
Infos:

Detection

Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: Search for Antivirus process
AI detected suspicious sample
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Wscript called in batch mode (surpress errors)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402902 FindFirstFileW, 0_2_00402902
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040689A FindFirstFileW,FindClose, 0_2_0040689A
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C047B7 GetFileAttributesW,FindFirstFileW,FindClose, 10_2_00C047B7
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C03B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00C03B4F
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C03E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00C03E72
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C0C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_00C0C16C
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C0CB81 FindFirstFileW,FindClose, 10_2_00C0CB81
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C0CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 10_2_00C0CC0C
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C0F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_00C0F445
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C0F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_00C0F5A2
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C0F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_00C0F8A3
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006F47B7 GetFileAttributesW,FindFirstFileW,FindClose, 15_2_006F47B7
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006F3E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_006F3E72
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006FC16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_006FC16C
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006FCB81 FindFirstFileW,FindClose, 15_2_006FCB81
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006FCC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 15_2_006FCC0C
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006FF445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_006FF445
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006FF5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_006FF5A2
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006FF8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_006FF8A3
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006F3B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_006F3B4F
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: JzyWtlVaDZyw.JzyWtlVaDZyw replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C1279E InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 10_2_00C1279E
Source: global traffic DNS traffic detected: DNS query: JzyWtlVaDZyw.JzyWtlVaDZyw
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: file.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000000.1737134126.0000000000C68000.00000002.00000001.01000000.00000005.sdmp, MindTechPro360.pif, 0000000F.00000002.2941852709.0000000000758000.00000002.00000001.01000000.00000008.sdmp, Halloween.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr String found in binary or memory: https://www.globalsign.com/repository/03
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004056E3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004056E3
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C14614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 10_2_00C14614
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_00704614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 15_2_00704614
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C14416 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 10_2_00C14416
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C00374 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 10_2_00C00374
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C2CEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 10_2_00C2CEDF
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_0071CEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 15_2_0071CEDF

Spam, unwanted Advertisements and Ransom Demands
barindex
Writes many files with high entropy
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Acoustic entropy: 7.99903860979 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Do entropy: 7.99828405938 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Gnome entropy: 7.99307602247 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Ready entropy: 7.99833337336 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Predict entropy: 7.99792045824 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Bee entropy: 7.99614213934 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Sandra entropy: 7.9989156064 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Praise entropy: 7.99907507657 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Almost entropy: 7.99894390583 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Random entropy: 7.99621260001 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Wright entropy: 7.99888955333 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Shannon entropy: 7.99469915151 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Bb entropy: 7.99924202624 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Extreme entropy: 7.999072405 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Dot entropy: 7.99842475993 Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\812297\g entropy: 7.99990971854 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif File created: C:\Users\user\AppData\Local\TechMind360 Innovations Co\L entropy: 7.99990971854 Jump to dropped file

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript called in batch mode (surpress errors)
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js"
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C040C1: CreateFileW,DeviceIoControl,CloseHandle, 10_2_00C040C1
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BF8D11 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 10_2_00BF8D11
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004035D8
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C055E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 10_2_00C055E5
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006F55E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 15_2_006F55E5
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406C5B 0_2_00406C5B
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BAB020 10_2_00BAB020
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BA94E0 10_2_00BA94E0
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BA9C80 10_2_00BA9C80
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C281C8 10_2_00C281C8
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BC2325 10_2_00BC2325
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BD6432 10_2_00BD6432
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BD258E 10_2_00BD258E
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BAE6F0 10_2_00BAE6F0
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BC275A 10_2_00BC275A
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BD88EF 10_2_00BD88EF
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C20802 10_2_00C20802
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BD69A4 10_2_00BD69A4
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BFEB95 10_2_00BFEB95
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BB0BE0 10_2_00BB0BE0
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BCCC81 10_2_00BCCC81
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C08CB1 10_2_00C08CB1
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C20C7F 10_2_00C20C7F
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BD6F16 10_2_00BD6F16
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BC32E9 10_2_00BC32E9
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BCF339 10_2_00BCF339
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BBD457 10_2_00BBD457
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BC15E4 10_2_00BC15E4
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BBF57E 10_2_00BBF57E
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BAF6A0 10_2_00BAF6A0
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BA1663 10_2_00BA1663
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BC77F3 10_2_00BC77F3
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BC1AD8 10_2_00BC1AD8
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BCDAD5 10_2_00BCDAD5
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BD9C15 10_2_00BD9C15
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BBDD14 10_2_00BBDD14
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BC1EF0 10_2_00BC1EF0
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BCBF06 10_2_00BCBF06
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_0069B020 15_2_0069B020
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006994E0 15_2_006994E0
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_00699C80 15_2_00699C80
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_007181C8 15_2_007181C8
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006B2325 15_2_006B2325
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006C6432 15_2_006C6432
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006C258E 15_2_006C258E
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_0069E6F0 15_2_0069E6F0
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006B275A 15_2_006B275A
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_00710802 15_2_00710802
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006C88EF 15_2_006C88EF
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006C69A4 15_2_006C69A4
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006A0BE0 15_2_006A0BE0
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006EEB95 15_2_006EEB95
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_00710C7F 15_2_00710C7F
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006F8CB1 15_2_006F8CB1
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006BCC81 15_2_006BCC81
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006C6F16 15_2_006C6F16
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006B32E9 15_2_006B32E9
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006BF339 15_2_006BF339
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006AD457 15_2_006AD457
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006AF57E 15_2_006AF57E
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006B15E4 15_2_006B15E4
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_00691663 15_2_00691663
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_0069F6A0 15_2_0069F6A0
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006B77F3 15_2_006B77F3
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006B1AD8 15_2_006B1AD8
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006BDAD5 15_2_006BDAD5
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006C9C15 15_2_006C9C15
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006ADD14 15_2_006ADD14
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006B1EF0 15_2_006B1EF0
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006BBF06 15_2_006BBF06
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif 8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif 8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: String function: 00BC0C42 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: String function: 00BB1A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: String function: 00BC8A60 appears 42 times
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: String function: 006B8A60 appears 42 times
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: String function: 006B0C42 appears 70 times
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: String function: 006A1A36 appears 34 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAutoIt3.exeB vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal84.rans.evad.winEXE@28/49@1/0
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C0A51A GetLastError,FormatMessageW, 10_2_00C0A51A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004035D8
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BF8BCC AdjustTokenPrivileges,CloseHandle, 10_2_00BF8BCC
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BF917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 10_2_00BF917C
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006E8BCC AdjustTokenPrivileges,CloseHandle, 15_2_006E8BCC
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006E917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 15_2_006E917C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404983 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404983
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C03FB5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification, 10_2_00C03FB5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004021A2 CoCreateInstance, 0_2_004021A2
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C042AA __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 10_2_00C042AA
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif File created: C:\Users\user\AppData\Local\TechMind360 Innovations Co Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\nsb6503.tmp Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 812297
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "IndieBeachesHonIo" Janet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Praise + Bee + Random + Acoustic + Predict + Shannon + Extreme + Gnome + Sandra + Wright + Ready + Bb + Dot + Almost + Do + Continental 812297\g
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif 812297\Shopzilla.pif 812297\g
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 15
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif" "C:\Users\user\AppData\Local\TechMind360 Innovations Co\L"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 812297 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "IndieBeachesHonIo" Janet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Praise + Bee + Random + Acoustic + Predict + Shannon + Extreme + Gnome + Sandra + Wright + Ready + Bb + Dot + Almost + Do + Continental 812297\g Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif 812297\Shopzilla.pif 812297\g Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 15 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif" "C:\Users\user\AppData\Local\TechMind360 Innovations Co\L" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: file.exe Static file information: File size 2418898 > 1048576
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C1C4A1 LoadLibraryA,GetProcAddress, 10_2_00C1C4A1
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BC8AA5 push ecx; ret 10_2_00BC8AB8
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006B8AA5 push ecx; ret 15_2_006B8AB8

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif File created: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Jump to dropped file
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif File created: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C2577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 10_2_00C2577B
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BB5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 10_2_00BB5EDA
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_0071577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 15_2_0071577B
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006A5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 15_2_006A5EDA
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BC32E9 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 10_2_00BC32E9
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif API coverage: 4.8 %
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif API coverage: 4.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\timeout.exe TID: 7720 Thread sleep count: 130 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402902 FindFirstFileW, 0_2_00402902
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040689A FindFirstFileW,FindClose, 0_2_0040689A
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C047B7 GetFileAttributesW,FindFirstFileW,FindClose, 10_2_00C047B7
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C03B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00C03B4F
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C03E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00C03E72
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C0C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_00C0C16C
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C0CB81 FindFirstFileW,FindClose, 10_2_00C0CB81
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C0CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 10_2_00C0CC0C
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C0F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_00C0F445
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C0F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_00C0F5A2
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C0F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_00C0F8A3
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006F47B7 GetFileAttributesW,FindFirstFileW,FindClose, 15_2_006F47B7
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006F3E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_006F3E72
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006FC16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_006FC16C
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006FCB81 FindFirstFileW,FindClose, 15_2_006FCB81
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006FCC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 15_2_006FCC0C
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006FF445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_006FF445
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006FF5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_006FF5A2
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006FF8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_006FF8A3
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006F3B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_006F3B4F
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BB5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 10_2_00BB5D13
Source: Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, MindTechPro360.pif, 0000000F.00000002.2943688312.0000000003BF3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C143B9 BlockInput, 10_2_00C143B9
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BB5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 10_2_00BB5240
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BD5BDC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 10_2_00BD5BDC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C1C4A1 LoadLibraryA,GetProcAddress, 10_2_00C1C4A1
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BF86B0 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 10_2_00BF86B0
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BCA2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_00BCA2B5
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BCA284 SetUnhandledExceptionFilter, 10_2_00BCA284
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006BA2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_006BA2B5
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_006BA284 SetUnhandledExceptionFilter, 15_2_006BA284
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BF914C LogonUserW, 10_2_00BF914C
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BB5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 10_2_00BB5240
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C01932 SendInput,keybd_event, 10_2_00C01932
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C050A7 mouse_event, 10_2_00C050A7
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 812297 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "IndieBeachesHonIo" Janet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Praise + Bee + Random + Acoustic + Predict + Shannon + Extreme + Gnome + Sandra + Wright + Ready + Bb + Dot + Almost + Do + Continental 812297\g Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif 812297\Shopzilla.pif 812297\g Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 15 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif" "C:\Users\user\AppData\Local\TechMind360 Innovations Co\L" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BF86B0 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 10_2_00BF86B0
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C04D89 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 10_2_00C04D89
Source: file.exe, 00000000.00000002.1901869005.000000000283D000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2941948303.0000000000C55000.00000002.00000001.01000000.00000005.sdmp, Shopzilla.pif, 0000000A.00000003.1746056007.0000000004105000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Shopzilla.pif, MindTechPro360.pif Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BC878B cpuid 10_2_00BC878B
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C0E0CA GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW, 10_2_00C0E0CA
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BE0652 GetUserNameW, 10_2_00BE0652
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00BD409A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 10_2_00BD409A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004035D8
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: MindTechPro360.pif Binary or memory string: WIN_81
Source: MindTechPro360.pif Binary or memory string: WIN_XP
Source: MindTechPro360.pif Binary or memory string: WIN_XPe
Source: MindTechPro360.pif.10.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyteP
Source: MindTechPro360.pif Binary or memory string: WIN_VISTA
Source: MindTechPro360.pif Binary or memory string: WIN_7
Source: MindTechPro360.pif Binary or memory string: WIN_8
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C16733 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 10_2_00C16733
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif Code function: 10_2_00C16BF7 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 10_2_00C16BF7
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_00706733 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 15_2_00706733
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif Code function: 15_2_00706BF7 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 15_2_00706BF7
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1458478 Sample: file.exe Startdate: 17/06/2024 Architecture: WINDOWS Score: 84 54 JzyWtlVaDZyw.JzyWtlVaDZyw 2->54 60 Sigma detected: Search for Antivirus process 2->60 62 Machine Learning detection for sample 2->62 64 Sigma detected: Suspicious Command Patterns In Scheduled Task Creation 2->64 66 3 other signatures 2->66 10 file.exe 85 2->10         started        14 wscript.exe 1 2->14         started        signatures3 process4 file5 46 C:\Users\user\AppData\Local\Temp\Wright, data 10->46 dropped 48 C:\Users\user\AppData\Local\Temp\Shannon, data 10->48 dropped 50 C:\Users\user\AppData\Local\Temp\Sandra, data 10->50 dropped 52 12 other malicious files 10->52 dropped 74 Writes many files with high entropy 10->74 16 cmd.exe 3 10->16         started        76 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->76 20 MindTechPro360.pif 14->20         started        signatures6 process7 file8 36 C:\Users\user\AppData\Local\...\Shopzilla.pif, PE32 16->36 dropped 56 Drops PE files with a suspicious file extension 16->56 58 Writes many files with high entropy 16->58 22 Shopzilla.pif 4 16->22         started        26 cmd.exe 2 16->26         started        28 conhost.exe 16->28         started        30 7 other processes 16->30 signatures9 process10 file11 38 C:\Users\user\AppData\...\MindTechPro360.pif, PE32 22->38 dropped 40 C:\Users\user\AppData\...\MindTechPro360.js, ASCII 22->40 dropped 42 C:\Users\user\AppData\Local\...\L, data 22->42 dropped 68 Drops PE files with a suspicious file extension 22->68 70 Uses schtasks.exe or at.exe to add and modify task schedules 22->70 72 Writes many files with high entropy 22->72 32 schtasks.exe 1 22->32         started        44 C:\Users\user\AppData\Local\Temp\812297\g, data 26->44 dropped signatures12 process13 process14 34 conhost.exe 32->34         started       
No contacted IP infos

Contacted Domains

Name IP Active
JzyWtlVaDZyw.JzyWtlVaDZyw unknown unknown