Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1458478
MD5:	814ff8b10d8641b03fcf1e9efc1005bf
SHA1:	25cb52ef822cf0077a11278d936569ed5f5d92d4
SHA256:	976137409e5d45839870a834b4b06bd46495a39d216bb0f31f1f0370fe1b5d94
Tags:	exe
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Search for Antivirus process

AI detected suspicious sample

Drops PE files with a suspicious file extension

Machine Learning detection for sample

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: WScript or CScript Dropper

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes many files with high entropy

Wscript called in batch mode (surpress errors)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 814FF8B10D8641B03FCF1E9EFC1005BF)

cmd.exe (PID: 7472 cmdline: "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7560 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7568 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7608 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7616 cmdline: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7652 cmdline: cmd /c md 812297 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 7668 cmdline: findstr /V "IndieBeachesHonIo" Janet MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7684 cmdline: cmd /c copy /b Praise + Bee + Random + Acoustic + Predict + Shannon + Extreme + Gnome + Sandra + Wright + Ready + Bb + Dot + Almost + Do + Continental 812297\g MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Shopzilla.pif (PID: 7700 cmdline: 812297\Shopzilla.pif 812297\g MD5: B06E67F9767E5023892D9698703AD098)

schtasks.exe (PID: 7740 cmdline: schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7716 cmdline: timeout 15 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

wscript.exe (PID: 7792 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

MindTechPro360.pif (PID: 7836 cmdline: "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif" "C:\Users\user\AppData\Local\TechMind360 Innovations Co\L" MD5: B06E67F9767E5023892D9698703AD098)

cleanup

Sigma Signatures

System Summary

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 812297\Shopzilla.pif 812297\g, ParentImage: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif, ParentProcessId: 7700, ParentProcessName: Shopzilla.pif, ProcessCommandLine: schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST, ProcessId: 7740, ProcessName: schtasks.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js", ProcessId: 7792, ProcessName: wscript.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: 812297\Shopzilla.pif 812297\g, CommandLine: 812297\Shopzilla.pif 812297\g, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7472, ParentProcessName: cmd.exe, ProcessCommandLine: 812297\Shopzilla.pif 812297\g, ProcessId: 7700, ProcessName: Shopzilla.pif

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7432, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd, ProcessId: 7472, ProcessName: cmd.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js", ProcessId: 7792, ProcessName: wscript.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7472, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 7616, ProcessName: findstr.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402902 FindFirstFileW,	0_2_00402902
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040689A FindFirstFileW,FindClose,	0_2_0040689A
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C047B7 GetFileAttributesW,FindFirstFileW,FindClose,	10_2_00C047B7
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C03B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00C03B4F
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C03E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00C03E72
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C0C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_00C0C16C
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C0CB81 FindFirstFileW,FindClose,	10_2_00C0CB81
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C0CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_00C0CC0C
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C0F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00C0F445
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C0F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00C0F5A2
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C0F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_00C0F8A3
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006F47B7 GetFileAttributesW,FindFirstFileW,FindClose,	15_2_006F47B7
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006F3E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_006F3E72
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006FC16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_006FC16C
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006FCB81 FindFirstFileW,FindClose,	15_2_006FCB81
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006FCC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	15_2_006FCC0C
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006FF445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_006FF445
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006FF5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_006FF5A2
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006FF8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_006FF8A3
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006F3B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_006F3B4F

Source: unknown

DNS traffic detected: query: JzyWtlVaDZyw.JzyWtlVaDZyw replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00C1279E InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

10_2_00C1279E

Source: global traffic

DNS traffic detected: DNS query: JzyWtlVaDZyw.JzyWtlVaDZyw

Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: file.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000000.1737134126.0000000000C68000.00000002.00000001.01000000.00000005.sdmp, MindTechPro360.pif, 0000000F.00000002.2941852709.0000000000758000.00000002.00000001.01000000.00000008.sdmp, Halloween.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr	String found in binary or memory: https://www.globalsign.com/repository/03

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004056E3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056E3

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C14614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		10_2_00C14614
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_00704614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		15_2_00704614

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00C14416 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

10_2_00C14416

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00C00374 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

10_2_00C00374

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C2CEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		10_2_00C2CEDF
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_0071CEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		15_2_0071CEDF

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\Acoustic entropy: 7.99903860979	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\Do entropy: 7.99828405938	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\Gnome entropy: 7.99307602247	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\Ready entropy: 7.99833337336	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\Predict entropy: 7.99792045824	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\Bee entropy: 7.99614213934	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\Sandra entropy: 7.9989156064	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\Praise entropy: 7.99907507657	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\Almost entropy: 7.99894390583	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\Random entropy: 7.99621260001	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\Wright entropy: 7.99888955333	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\Shannon entropy: 7.99469915151	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\Bb entropy: 7.99924202624	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\Extreme entropy: 7.999072405	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\Dot entropy: 7.99842475993	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\812297\g entropy: 7.99990971854	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	File created: C:\Users\user\AppData\Local\TechMind360 Innovations Co\L entropy: 7.99990971854	Jump to dropped file

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js"

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00C040C1: CreateFileW,DeviceIoControl,CloseHandle,

10_2_00C040C1

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00BF8D11 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

10_2_00BF8D11

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_004035D8
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C055E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	10_2_00C055E5
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006F55E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	15_2_006F55E5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406C5B	0_2_00406C5B
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BAB020	10_2_00BAB020
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BA94E0	10_2_00BA94E0
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BA9C80	10_2_00BA9C80
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C281C8	10_2_00C281C8
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BC2325	10_2_00BC2325
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BD6432	10_2_00BD6432
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BD258E	10_2_00BD258E
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BAE6F0	10_2_00BAE6F0
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BC275A	10_2_00BC275A
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BD88EF	10_2_00BD88EF
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C20802	10_2_00C20802
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BD69A4	10_2_00BD69A4
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BFEB95	10_2_00BFEB95
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BB0BE0	10_2_00BB0BE0
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BCCC81	10_2_00BCCC81
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C08CB1	10_2_00C08CB1
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C20C7F	10_2_00C20C7F
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BD6F16	10_2_00BD6F16
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BC32E9	10_2_00BC32E9
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BCF339	10_2_00BCF339
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BBD457	10_2_00BBD457
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BC15E4	10_2_00BC15E4
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BBF57E	10_2_00BBF57E
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BAF6A0	10_2_00BAF6A0
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BA1663	10_2_00BA1663
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BC77F3	10_2_00BC77F3
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BC1AD8	10_2_00BC1AD8
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BCDAD5	10_2_00BCDAD5
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BD9C15	10_2_00BD9C15
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BBDD14	10_2_00BBDD14
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BC1EF0	10_2_00BC1EF0
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BCBF06	10_2_00BCBF06
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_0069B020	15_2_0069B020
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006994E0	15_2_006994E0
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_00699C80	15_2_00699C80
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_007181C8	15_2_007181C8
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006B2325	15_2_006B2325
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006C6432	15_2_006C6432
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006C258E	15_2_006C258E
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_0069E6F0	15_2_0069E6F0
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006B275A	15_2_006B275A
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_00710802	15_2_00710802
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006C88EF	15_2_006C88EF
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006C69A4	15_2_006C69A4
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006A0BE0	15_2_006A0BE0
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006EEB95	15_2_006EEB95
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_00710C7F	15_2_00710C7F
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006F8CB1	15_2_006F8CB1
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006BCC81	15_2_006BCC81
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006C6F16	15_2_006C6F16
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006B32E9	15_2_006B32E9
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006BF339	15_2_006BF339
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006AD457	15_2_006AD457
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006AF57E	15_2_006AF57E
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006B15E4	15_2_006B15E4
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_00691663	15_2_00691663
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_0069F6A0	15_2_0069F6A0
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006B77F3	15_2_006B77F3
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006B1AD8	15_2_006B1AD8
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006BDAD5	15_2_006BDAD5
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006C9C15	15_2_006C9C15
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006ADD14	15_2_006ADD14
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006B1EF0	15_2_006B1EF0
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006BBF06	15_2_006BBF06

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif 8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif 8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: String function: 00BC0C42 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: String function: 00BB1A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: String function: 00BC8A60 appears 42 times
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: String function: 006B8A60 appears 42 times
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: String function: 006B0C42 appears 70 times
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: String function: 006A1A36 appears 34 times

Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameAutoIt3.exeB vs file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.rans.evad.winEXE@28/49@1/0

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00C0A51A GetLastError,FormatMessageW,

10_2_00C0A51A

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_004035D8
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BF8BCC AdjustTokenPrivileges,CloseHandle,	10_2_00BF8BCC
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BF917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	10_2_00BF917C
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006E8BCC AdjustTokenPrivileges,CloseHandle,	15_2_006E8BCC
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006E917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	15_2_006E917C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00404983 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404983

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00C03FB5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

10_2_00C03FB5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004021A2 CoCreateInstance,

0_2_004021A2

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00C042AA __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

10_2_00C042AA

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

File created: C:\Users\user\AppData\Local\TechMind360 Innovations Co

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\nsb6503.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 812297
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "IndieBeachesHonIo" Janet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Praise + Bee + Random + Acoustic + Predict + Shannon + Extreme + Gnome + Sandra + Wright + Ready + Bb + Dot + Almost + Do + Continental 812297\g
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif 812297\Shopzilla.pif 812297\g
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 15
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif" "C:\Users\user\AppData\Local\TechMind360 Innovations Co\L"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 812297	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "IndieBeachesHonIo" Janet	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Praise + Bee + Random + Acoustic + Predict + Shannon + Extreme + Gnome + Sandra + Wright + Ready + Bb + Dot + Almost + Do + Continental 812297\g	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif 812297\Shopzilla.pif 812297\g	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 15	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif" "C:\Users\user\AppData\Local\TechMind360 Innovations Co\L"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: file.exe

Static file information: File size 2418898 > 1048576

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00C1C4A1 LoadLibraryA,GetProcAddress,

10_2_00C1C4A1

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BC8AA5 push ecx; ret		10_2_00BC8AB8
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006B8AA5 push ecx; ret		15_2_006B8AB8

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	File created: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif			Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	File created: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C2577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	10_2_00C2577B
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BB5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	10_2_00BB5EDA
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_0071577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	15_2_0071577B
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006A5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	15_2_006A5EDA

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00BC32E9 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_00BC32E9

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	API coverage: 4.8 %
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	API coverage: 4.7 %

Source: C:\Windows\SysWOW64\timeout.exe TID: 7720

Thread sleep count: 130 > 30

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402902 FindFirstFileW,	0_2_00402902
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040689A FindFirstFileW,FindClose,	0_2_0040689A
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C047B7 GetFileAttributesW,FindFirstFileW,FindClose,	10_2_00C047B7
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C03B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00C03B4F
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C03E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00C03E72
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C0C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_00C0C16C
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C0CB81 FindFirstFileW,FindClose,	10_2_00C0CB81
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C0CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_00C0CC0C
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C0F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00C0F445
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C0F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00C0F5A2
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C0F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_00C0F8A3
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006F47B7 GetFileAttributesW,FindFirstFileW,FindClose,	15_2_006F47B7
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006F3E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_006F3E72
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006FC16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_006FC16C
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006FCB81 FindFirstFileW,FindClose,	15_2_006FCB81
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006FCC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	15_2_006FCC0C
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006FF445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_006FF445
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006FF5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_006FF5A2
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006FF8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_006FF8A3
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006F3B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_006F3B4F

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00BB5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

10_2_00BB5D13

Source: Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, MindTechPro360.pif, 0000000F.00000002.2943688312.0000000003BF3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node			graph_0-3569
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00C143B9 BlockInput,

10_2_00C143B9

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00BB5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_00BB5240

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00BD5BDC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

10_2_00BD5BDC

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00C1C4A1 LoadLibraryA,GetProcAddress,

10_2_00C1C4A1

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00BF86B0 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

10_2_00BF86B0

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BCA2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00BCA2B5
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00BCA284 SetUnhandledExceptionFilter,	10_2_00BCA284
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006BA2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_006BA2B5
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_006BA284 SetUnhandledExceptionFilter,	15_2_006BA284

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00BF914C LogonUserW,

10_2_00BF914C

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00BB5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_00BB5240

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00C01932 SendInput,keybd_event,

10_2_00C01932

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00C050A7 mouse_event,

10_2_00C050A7

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 812297	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "IndieBeachesHonIo" Janet	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Praise + Bee + Random + Acoustic + Predict + Shannon + Extreme + Gnome + Sandra + Wright + Ready + Bb + Dot + Almost + Do + Continental 812297\g	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif 812297\Shopzilla.pif 812297\g	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 15	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif" "C:\Users\user\AppData\Local\TechMind360 Innovations Co\L"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

10_2_00BF86B0

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00C04D89 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

10_2_00C04D89

Source: file.exe, 00000000.00000002.1901869005.000000000283D000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2941948303.0000000000C55000.00000002.00000001.01000000.00000005.sdmp, Shopzilla.pif, 0000000A.00000003.1746056007.0000000004105000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Shopzilla.pif, MindTechPro360.pif	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00BC878B cpuid

10_2_00BC878B

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00C0E0CA GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

10_2_00C0E0CA

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00BE0652 GetUserNameW,

10_2_00BE0652

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Code function: 10_2_00BD409A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

10_2_00BD409A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004035D8

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: MindTechPro360.pif	Binary or memory string: WIN_81
Source: MindTechPro360.pif	Binary or memory string: WIN_XP
Source: MindTechPro360.pif	Binary or memory string: WIN_XPe
Source: MindTechPro360.pif.10.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyteP
Source: MindTechPro360.pif	Binary or memory string: WIN_VISTA
Source: MindTechPro360.pif	Binary or memory string: WIN_7
Source: MindTechPro360.pif	Binary or memory string: WIN_8

Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C16733 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	10_2_00C16733
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Code function: 10_2_00C16BF7 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	10_2_00C16BF7
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_00706733 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	15_2_00706733
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Code function: 15_2_00706BF7 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	15_2_00706BF7

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	11 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	17 System Information Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	11 Masquerading	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	2 Valid Accounts	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	0%	ReversingLabs

Source	Detection	Scanner	Label
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://www.autoitscript.com/autoit3/0	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
JzyWtlVaDZyw.JzyWtlVaDZyw	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000000.1737134126.0000000000C68000.00000002.00000001.01000000.00000005.sdmp, MindTechPro360.pif, 0000000F.00000002.2941852709.0000000000758000.00000002.00000001.01000000.00000008.sdmp, Halloween.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	file.exe	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/0	file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1458478
Start date and time:	2024-06-17 17:57:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal84.rans.evad.winEXE@28/49@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 98 Number of non-executed functions: 296
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
11:58:42	API Interceptor	3527x Sleep call for process: Shopzilla.pif modified
11:58:46	API Interceptor	2784x Sleep call for process: MindTechPro360.pif modified
16:58:07	Task Scheduler	Run new task: MindTechPro360 path: wscript s>//B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js"

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif	Setup.exe	Get hash	malicious	Vidar	Browse
	75MwheiQ7I.exe	Get hash	malicious	Amadey	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	package1107.png.lnk	Get hash	malicious	XWorm	Browse
	ljwIPDSwFi.exe	Get hash	malicious	DarkGate, MailPassView, Vidar	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	P8KA32mz7j.exe	Get hash	malicious	RedLine	Browse
	6wmPebfmfG.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif	Setup.exe	Get hash	malicious	Vidar	Browse
	75MwheiQ7I.exe	Get hash	malicious	Amadey	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	package1107.png.lnk	Get hash	malicious	XWorm	Browse
	ljwIPDSwFi.exe	Get hash	malicious	DarkGate, MailPassView, Vidar	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	P8KA32mz7j.exe	Get hash	malicious	RedLine	Browse
	6wmPebfmfG.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\TechMind360 Innovations Co\L

Download File

Process:	C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif
File Type:	data
Category:	dropped
Size (bytes):	1870510
Entropy (8bit):	7.999909718535495
Encrypted:	true
SSDEEP:	49152:7uottM3/K2AQPfHh/L21jiKo2FjI9M6+iCKwNMPv:1twXAo/hz212KoJu/iIsv
MD5:	0F0B22E9E46035CD5603184321DA09B3
SHA1:	19306DBE626F4C3276F2B918B7095D548FBF74C5
SHA-256:	5D7833100FF695C322B4DE2E6DA0E467AF2EA2755BB22D7E38D5AE59DEF8070C
SHA-512:	35528880E916D2414AD0F1AF944757A3370D043B36ADF12E45E0AEF2CA6E3EBC18151B31791DD34800BDF9E8A9A47668231A68A71A2E2841FBC640C144BC6F69
Malicious:	true
Preview:	....~....u.,F......j.. ....B4q.......b^..{.o..C..f.>....j.+....Y@.Q.oQN..mp..x....:#.,.4.#.7..`..z.\|+...3.8...AK.=q.5y.j.\..YV..D5v.:.m."....+y].........:..`....J.cOC.'.n.0..f...mK....h.....?..df..J....U..}..W.zl......1.3..?X....g?;.Y......%..fa~o.S..d..%.....);0.Z.7.}}.P..(`.lE7...dr.M.]..G.#...g..8<...>[.[.......eR./..om..L.1ef..>.D4.......).L... .....v...J .l...W.T.I..R.&..U...Vg.c"&.o.P..Rr....u.+.~.e..c.E....x.&^h.....-......;..g....Ze....+tN@..\|.Oc\..V...W_.B..A.U.....?.z.vy.h.q?..\|....h ..,.jm<...w.R..."R...E.....<.........e......)..t.c.QwmT....Q..!...3rE.V.z...?0.rmK.*.FN[.x......i\/.....wtIc.]....p....X~f.. '2.z...?.#.j..:..Z....X=4.Ela.W(.WM...T....l.0.B....Ee.EE.......#5F..D!..~.u....Lb...;.F....H.5.d.e...#\|..\|....~'.m...7.SD..H..~..}G...k(..Q&..G.#".{se.~...~.)7I./7u..F..5w.,&..9.....y.z...T3...ok..]..../U.R..WE.e.D...eKp..r..N....e!.H..#)(T..._0\|.^TP3.1..9-sC..<..mD.../.<"...b..%.WEZlS..5....%Q\|.j...?$.....)...M..R8

C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js

Download File

Process:	C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	200
Entropy (8bit):	4.881647496788254
Encrypted:	false
SSDEEP:	6:RiJuOybJHonwWDKaJkDvxosQBDNvnnVVwWDKaJkDvxosQBD4:YJeQjWaexos8DZnnvWaexos8D4
MD5:	2F882A56198FF5CEF671FB7C52AFE739
SHA1:	69F562727EBBBDD17E582A035E08AAF7AD76FB06
SHA-256:	6A89D34D849CD4957A32A9E30D01A14411DCCB06D2F51AA887711B82193323D0
SHA-512:	DEFB674290010BFC5AA143F9C9EB03DE8F3629C0B09821B5B0CA22C21EC8041E81BC586F5CE7EB089ED98C57D2932AFDC24A941A39AD7C49644F38F226A91CC1
Malicious:	true
Preview:	new ActiveXObject("Wscript.Sh" + "ell").Exec("\"C:\\Users\\user\\AppData\\Local\\TechMind360 Innovations Co\\MindTechPro360.pif\" \"C:\\Users\\user\\AppData\\Local\\TechMind360 Innovations Co\\L\"")

C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif

Download File

Process:	C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	937776
Entropy (8bit):	6.777413141364669
Encrypted:	false
SSDEEP:	12288:FJV3REMvnCG22lhtjVoAYxQl+u13a/sVyaVeK56ORMkkOlPlNKlga4Umff2lRO:F3hEW3hlVodGl+gUKrMkzXa4P6RO
MD5:	B06E67F9767E5023892D9698703AD098
SHA1:	ACC07666F4C1D4461D3E1C263CF6A194A8DD1544
SHA-256:	8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
SHA-512:	7972C78ACEBDD86C57D879C12CB407120155A24A52FDA23DDB7D9E181DD59DAC1EB74F327817ADBC364D37C8DC704F8236F3539B4D3EE5A022814924A1616943
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Setup.exe, Detection: malicious, Browse Filename: 75MwheiQ7I.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: package1107.png.lnk, Detection: malicious, Browse Filename: ljwIPDSwFi.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: P8KA32mz7j.exe, Detection: malicious, Browse Filename: 6wmPebfmfG.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR..........................PE..L...y..U.........."..............................@.................................w.....@...@.......@.....................L...\|....................8..0....0...q...;..............................@X..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...............................@..@.reloc...q...0...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	937776
Entropy (8bit):	6.777413141364669
Encrypted:	false
SSDEEP:	12288:FJV3REMvnCG22lhtjVoAYxQl+u13a/sVyaVeK56ORMkkOlPlNKlga4Umff2lRO:F3hEW3hlVodGl+gUKrMkzXa4P6RO
MD5:	B06E67F9767E5023892D9698703AD098
SHA1:	ACC07666F4C1D4461D3E1C263CF6A194A8DD1544
SHA-256:	8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
SHA-512:	7972C78ACEBDD86C57D879C12CB407120155A24A52FDA23DDB7D9E181DD59DAC1EB74F327817ADBC364D37C8DC704F8236F3539B4D3EE5A022814924A1616943
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Setup.exe, Detection: malicious, Browse Filename: 75MwheiQ7I.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: package1107.png.lnk, Detection: malicious, Browse Filename: ljwIPDSwFi.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: P8KA32mz7j.exe, Detection: malicious, Browse Filename: 6wmPebfmfG.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR..........................PE..L...y..U.........."..............................@.................................w.....@...@.......@.....................L...\|....................8..0....0...q...;..............................@X..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...............................@..@.reloc...q...0...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\812297\g

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	1870510
Entropy (8bit):	7.999909718535495
Encrypted:	true
SSDEEP:	49152:7uottM3/K2AQPfHh/L21jiKo2FjI9M6+iCKwNMPv:1twXAo/hz212KoJu/iIsv
MD5:	0F0B22E9E46035CD5603184321DA09B3
SHA1:	19306DBE626F4C3276F2B918B7095D548FBF74C5
SHA-256:	5D7833100FF695C322B4DE2E6DA0E467AF2EA2755BB22D7E38D5AE59DEF8070C
SHA-512:	35528880E916D2414AD0F1AF944757A3370D043B36ADF12E45E0AEF2CA6E3EBC18151B31791DD34800BDF9E8A9A47668231A68A71A2E2841FBC640C144BC6F69
Malicious:	true
Preview:	....~....u.,F......j.. ....B4q.......b^..{.o..C..f.>....j.+....Y@.Q.oQN..mp..x....:#.,.4.#.7..`..z.\|+...3.8...AK.=q.5y.j.\..YV..D5v.:.m."....+y].........:..`....J.cOC.'.n.0..f...mK....h.....?..df..J....U..}..W.zl......1.3..?X....g?;.Y......%..fa~o.S..d..%.....);0.Z.7.}}.P..(`.lE7...dr.M.]..G.#...g..8<...>[.[.......eR./..om..L.1ef..>.D4.......).L... .....v...J .l...W.T.I..R.&..U...Vg.c"&.o.P..Rr....u.+.~.e..c.E....x.&^h.....-......;..g....Ze....+tN@..\|.Oc\..V...W_.B..A.U.....?.z.vy.h.q?..\|....h ..,.jm<...w.R..."R...E.....<.........e......)..t.c.QwmT....Q..!...3rE.V.z...?0.rmK.*.FN[.x......i\/.....wtIc.]....p....X~f.. '2.z...?.#.j..:..Z....X=4.Ela.W(.WM...T....l.0.B....Ee.EE.......#5F..D!..~.u....Lb...;.F....H.5.d.e...#\|..\|....~'.m...7.SD..H..~..}G...k(..Q&..G.#".{se.~...~.)7I./7u..F..5w.,&..9.....y.z...T3...ok..]..../U.R..WE.e.D...eKp..r..N....e!.H..#)(T..._0\|.^TP3.1..9-sC..<..mD.../.<"...b..%.WEZlS..5....%Q\|.j...?$.....)...M..R8

C:\Users\user\AppData\Local\Temp\Acoustic

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	175104
Entropy (8bit):	7.999038609788727
Encrypted:	true
SSDEEP:	3072:1z5xKQwY8VkAdwY9MrIC/niZk/4O99tH//SDgGXI3iYkwBvUg52ZqVUSTfYq:hKQMV/wY9e98krtf/m9I3iSNB5O4USZ
MD5:	09E2FD2D8BC6F547CEDFEB5A6479159A
SHA1:	6E2C74E6EB88CC077711EDF6DA915E8DBA0924E6
SHA-256:	38565848421A4E6D46FA86322353BC97DC6D95C3851F844A4DF846F09D0F12FE
SHA-512:	1CBED330E7C10EEFD6A67CE6168726AC728FF59B49666DC7F24BF69F2778C60211E2E3E3C95B0AF6AEFC5CA8E5FC25B10E59B2CE672315648F55091CBEAB3553
Malicious:	true
Preview:	.y$U.3B.5...6!...?R........\|........'..8-.T..Gv.....t[2......<.H..4..r....@..%..z.......?U&.w...\|..$..d.J.cByj~..U.!p.....\..B!.E.....j./....K<.......d.].K..Uh.+e?z....e6YA0.E,u.4[..w....q..../.....js]...)h7...}.........D..@.^7.Q.4\|I.......5i..#8n..N}....@.vZ.UI.......X.o.7".w/}..g\|.a.~_V.Y`.....x.PB2.X.e.xyn...W..+........y........yd'....J....~...l{..Z....2z.tg....I.c!d......V...l.lV>.X.a.......V...`.o.q.......`#.&.Cle5.,..K..s\...I...dl^....."{."..x#...o.x..-A....Tt...._.U..>0f.C...5v..~.s.R..a.A.#.....%7.@......K......1~.T..H.......g....=.p0'...oq+.&Xi...$.....G@K...?..e6.J.[.,...a.+.z...h...L..hG...2...e.{\.13...Z..M.Vz...)..>T........>..oi)4....6..^A2G.pcWp.....N..+M.PmT....".c...e......z4.[.....Y3[...SZ..%.K...&.AQ.......Q......A.dZ....H..G...A#.9.:...6.^.F..u{.e..Mq.8..."{.......$..D.:C.SH....k....G....f.h..QoG...J....0.mQg.{.....4=....j.GS.hW.....'....6DjF.Eb[}.f.......T.........2...3$...b..F..S.DU.^5bwb..L...........

C:\Users\user\AppData\Local\Temp\After

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	6.513475428211949
Encrypted:	false
SSDEEP:	384:3lwxFwfydtw4QGE2v9fwz3AwstdBx3auBxw6eY:ViFwfGW43E2lfwMwstd7FBZx
MD5:	21637A923846FFA2C94BC138D834E72C
SHA1:	C3BF7CF1359FA0AC0491E84ACF343511BD7450DB
SHA-256:	525A84A7D19A08132883B275B9CF4DF2C5730C0935900F4C2D50FB4C224BE7D3
SHA-512:	A185C99150B6A1FE7B1AFEE6196B00332387F6870DFBA7BF094E1B90287FBACAC967045302B668520F3ADA43AB777834BD9BA8705500CB3013E213926A8A9F89
Malicious:	false
Preview:	...t<..............4..IL..u.....E...F.j.h.....F.P.........F..U..M.G.}.E.@.E....U.....IL..=.QL.....IL......;.s$f.A.......Y..a$.f.A%...Y8.Y4..@.M...F.u.M......j.[3..}...............5.IL..u.>.t.9.t...F....F......F....u.j.X...G........P..d.I..E...tL..tHP....I...t=.M..%.......u...F..@.....u...F....F.j.h.....F.P.........F.....F..@.F....@bL...t.....X.G.=....]......3......j......Y.j.h..K..n...3.].u....u..P......}.....................;5.QL........................IL...D8....u....... ..jV.....Y.e......IL..D8..t..u..u.V.^.......................... .....}..E.............(.u..}.V.Y...Y.................J...........U.......?...P.K.3.E...D.....E..M.V3...8...W3...0.....@...9u.u.3........u......!0.[...................................(...S....IL...$....\.$.......t....u+.E....u.....!0....................8....D.. t.j.j.j.P.p>.......8........Y....P.....(.....$.......IL..D.....2....!...3.@l9...........P..(........<.....$.......IL..4.....I.........9.<...t.............I...0...3.!

C:\Users\user\AppData\Local\Temp\Almost

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	168960
Entropy (8bit):	7.99894390583128
Encrypted:	true
SSDEEP:	3072:xjpeF0dzBma2csog356vFWFwCjq0gOwVVaVmty74jT/savMH+vvRAPryOeOUJN8k:xjpS452bog3EI2CWROesVmt3T/VvMevt
MD5:	2140E91DD200A126F7C6B11DC54538EB
SHA1:	0CC5483090145F8A5DEA2E03837A42D54C0B82A5
SHA-256:	1E9F4820BDA924B37EFD9D56F9129A28292D37E28786E07A9D869376A092B64B
SHA-512:	55D0DC89662CFF04821CBCA9B0C8468A261A39299E586C21F0A33665ADF73ACA7EE0A14E5CD893F149FB06C065225A54A4119A504A81BE5EFAC3632D426FD923
Malicious:	true
Preview:	Z<].GmQ...g.......`..R..;e....:O.d...$:-.O.......L..o..>....J4..m."..Q.!s.....5. .l.pn....O.....7#HEm.+..y.[#97.J.g.^a.Gfa[.Z....@...,G.....L..S.$-'......br.,...e..5....tv.B.mCL.3...<q.q@SN...WK...mIqQ.~..l/..Ymn.{..X._..[..&.>..'.....E..k...}.t.\|).2YJ..h>6....@.Sh%.X...,.M.;.....o..Z..@."z...y.%L5l..@...v.F....(kL.......$...!^m....!LV.......u.(...._ ...."..48.$....v.`.'.pc..l.=...B..]........g.....<.8./.. B..`.....u.S.......q....t..<..i...~'W... K....aL.z){&.AYh%. .....?.....<..GN...Z....~7..+........d.......).V.u..a.Yk.1V..u...s...k;Z9..b../e.oLVd.,.1\...ly..2<.. ..9....,.P.%...%...^.~!.?Mg%G....\|....p(...A#..q...$r..-....7c.........7..FO}\n$.!h..$y...-!....c..[...`;.........V..}\S`...W.jA..O.@(.x9..+...R.C.."....E.Z..m..n...C.9....Wd.....A....=7.5O.*.A.......g.......QR....qN..."..3.......L.LiODB.L..../r..d9.d.&.;".M....}`..>EK.N.....'..{)...O.g?.p...v..s..P.G.b...Iw..M...U...Y..4C...x....8R..h`.M..@..2.c...YK.{._.m~\I...

C:\Users\user\AppData\Local\Temp\Anticipated

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	6.664047309777273
Encrypted:	false
SSDEEP:	1536:3itgXKUvl8UTcyzJW784Lle+1X/tcATs3Q:SuXtvrhzU78Gle6Ptc+s3Q
MD5:	3E4BDFEC2576D42D0FC8CCC2FC881357
SHA1:	22397318970F53716FC57A8E016CC39178E9F10A
SHA-256:	1D514F8D3E64893E12FD4CFC1A49646F19FE093677298964705495AB7E62D60F
SHA-512:	2D00F8C39227F663F7C24370035747053E8F6C73353C35EE70F98D745EB36E3ED08358F05AC9DFC840A4D6B94583330A09741E36F6D7EC9F5B4C73C4362A36D6
Malicious:	false
Preview:	I...^]...U..f.E...dSV3.Wf...u..E..@...t...S....f...uP.E.SSj..@.PSS....I..E...3..j.Z.........Q.Q...YW..3.Vj..u.PP..V..x.I.V......Y.Qf...u..E..p.V..x.I.V......I..3f..Hu-.u..}.j(.E.P.v..E.P......H.I...t..E.P..x.I..._^..[..]...U..f.E...PS3.Vf...u..E..@...t...S....f...uT.E.WSS.@.j...PSS....I..E...3..j.Z.........Q.v-..YW..3.Vj..u.PP..V..x.I.V....-..Y_.Hf...u..E..@..0V..x.I.V......I..(f..Hu".E..M.j(Q.p...H.I...t..E.P..x.I...^..[..]...U..VW.}.W.2...W....\.I.j.Xf....w._^]...U..S.]..u.............M.f.......f;.......VW.u.....I...3.j.Z.F..........Q.,..Y.u...W....I.3.3.f..w..f9.tA..f.8:t.F..wf9.u....G.h.K...pP..4.I...u.......3.Wf..w.Z....M.f..W.,..Y_^[]...U..M.V3...f91t,SWj,[j..._9u.t.f9.u.f.8..f98u.f..B..Qf90u._[^]...U..E..H...t..u....u..u..u..u.Q.P.....@..]...U..E..H...t..u....u..u.Q.P.....@..]...U..E..H...t..u...Q.P.....@..]...U.....E...\SVW..uQ.E..tA.E..x..u..u ..t.V..\.I.j.Xf...E..@..F.3..~.........t.........j.........`....U.3.9z...M....M.k...B..I..L$(.\$$;L.0u...t$..........t

C:\Users\user\AppData\Local\Temp\Anyone

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with very long lines (1797), with CRLF line terminators
Category:	dropped
Size (bytes):	29388
Entropy (8bit):	5.02051729482519
Encrypted:	false
SSDEEP:	768:zoMoPn45zXylsJlFD7B8DazeeD3IXZJdSrQRLPX932:cMoP4UlelJnqZJdSW32
MD5:	B2CFAF4AAC73F87113653D5EA8757631
SHA1:	0E5585A9B6A7A04E37CEDC1CDA6827F81D3F8687
SHA-256:	EC2838EC67B6B6B4E46D2D9450E89FA5C8C268876D09ED40CC9DF2C57CA4F157
SHA-512:	A62C9C31D720B2D710C799732A0F8BC45EB5233F38A0ADD244623294B09EC8335FE815B24FFDF03A984D522E5E623416948C7D2B511D8F3A49CE140E107C2068
Malicious:	false
Preview:	Set Reflections=m..TXLRaise ..aefzPoverty Thong ..XwXnSick Previously Eastern Activities Robin ..IsaAllah Sister ..QtIcFilename ..Set Discover=R..ppKEarnings Former Eco Kg Penny ..bjsQUrl Villa Minneapolis Assembled Naples Wound ..gCzSFact Lung York Newer Copying Drinking Expedia Lb ..dhEngaging Apartment ..ApaCDist Baghdad Iraqi Automation Russia ..GATransferred Celebrate Cambodia ..Set Hood=e..XIjhAcoustic Example Kijiji Orchestra Productive Guidance Restoration Marvel Broadcast ..tlRMarketing Digest Atomic Tue ..qHQlCoast Call ..NtVSBoob Msgstr Jump Var Mozilla Sri Functioning Gardening Indiana ..xVVaries Ee Associated Account Productions Therapy Reasonable Hindu ..dpEssential Inputs ..IqbMaintained Cartoon ..hTPodcast Critics Ment Indeed Memory Melissa ..Set Ieee=d..kRJGotta Ag Buffalo Logan Stronger Donate Encouraged ..gxPLOs Complex Garcia Proceeding ..wpcwCnn Webmaster Pretty Restriction Replaced Singer Wallace ..MYAuthorization Combo Hide ..jZEH Souls Resulted Reasoning Bright

C:\Users\user\AppData\Local\Temp\Anyone.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1797), with CRLF line terminators
Category:	dropped
Size (bytes):	29388
Entropy (8bit):	5.02051729482519
Encrypted:	false
SSDEEP:	768:zoMoPn45zXylsJlFD7B8DazeeD3IXZJdSrQRLPX932:cMoP4UlelJnqZJdSW32
MD5:	B2CFAF4AAC73F87113653D5EA8757631
SHA1:	0E5585A9B6A7A04E37CEDC1CDA6827F81D3F8687
SHA-256:	EC2838EC67B6B6B4E46D2D9450E89FA5C8C268876D09ED40CC9DF2C57CA4F157
SHA-512:	A62C9C31D720B2D710C799732A0F8BC45EB5233F38A0ADD244623294B09EC8335FE815B24FFDF03A984D522E5E623416948C7D2B511D8F3A49CE140E107C2068
Malicious:	false
Preview:	Set Reflections=m..TXLRaise ..aefzPoverty Thong ..XwXnSick Previously Eastern Activities Robin ..IsaAllah Sister ..QtIcFilename ..Set Discover=R..ppKEarnings Former Eco Kg Penny ..bjsQUrl Villa Minneapolis Assembled Naples Wound ..gCzSFact Lung York Newer Copying Drinking Expedia Lb ..dhEngaging Apartment ..ApaCDist Baghdad Iraqi Automation Russia ..GATransferred Celebrate Cambodia ..Set Hood=e..XIjhAcoustic Example Kijiji Orchestra Productive Guidance Restoration Marvel Broadcast ..tlRMarketing Digest Atomic Tue ..qHQlCoast Call ..NtVSBoob Msgstr Jump Var Mozilla Sri Functioning Gardening Indiana ..xVVaries Ee Associated Account Productions Therapy Reasonable Hindu ..dpEssential Inputs ..IqbMaintained Cartoon ..hTPodcast Critics Ment Indeed Memory Melissa ..Set Ieee=d..kRJGotta Ag Buffalo Logan Stronger Donate Encouraged ..gxPLOs Complex Garcia Proceeding ..wpcwCnn Webmaster Pretty Restriction Replaced Singer Wallace ..MYAuthorization Combo Hide ..jZEH Souls Resulted Reasoning Bright

C:\Users\user\AppData\Local\Temp\Bb

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	198656
Entropy (8bit):	7.999242026241879
Encrypted:	true
SSDEEP:	6144:GDfcquc0KXowzAptg0farVFjuI2WowwIEkWQzVyYR:cSwz30yCI2RYZyYR
MD5:	5F3CFBF4470EB496F8024C3BBD3DD6E8
SHA1:	3C9005A1C835997AC4563B02B28893258FA44CAD
SHA-256:	2A3DA06C81D2C53D1DAEC0A8A5AA1C64CEF52D4FF533C794E02E89D8ADA2F082
SHA-512:	4E119F54491513AAB186BA1839D8A25E4234B17310508B1AD09CFAF0C92E0C68A95B697F49D70B0F1DE6562774A6BD7A7F89C827F157C99E71D856A2BB81E8FD
Malicious:	true
Preview:	...=..q...Pp.g..=.e..<\|........]n#..5....v....I..&.....o<e.M... 2C....2.......4.5%......Q....:{....E.q..Z3.fr...e.Rq5@.\...&....{.G.y.v.[..".}.[.....D.\|C...?-.F.....b.}J..97.KUG D........hh}0.t.zI.b..P.h.....".a.N..L..QB.j..C.vf.}c..c.......t..a...9....h..9.."..g.g.D..?<~b.a....,..t.......B...(.4E.:Rx..E..\|......U.3........o.i.O.h.V4:..z'F.[k.3.......%....o.....T..Z..0>..'.M......_......t..rF_...\|...6C".....C.K$.d{....i.a..F.^mf...Q./.<...-.]W.o.Hirh$.a..~....r.T.:.............(..PJ6\|.qb._./.E.:....KM..3JV..<.AV....K..6..;....e...g..aQ...(..1..m.+.Sn.....-.q....Y.:BD.....b...!H.'Y.....!..F...OS.z......G.L.g....6t.H\....d.gWv...l..\|4.J.BW#..h......Qo..D.LJG.>._...&.....{W <k]>!_..=......0{.WGRq.M......l......]6n..za....eS.6}.:p/..^....NQ..n)......\>@M.F...l..e.G)J.......D&.T.ac..-....D..+.B_\|...T...5#R.zT..9G.~..c....+S......@...........I7.9H...`.7b.\|w'..'..N^..(?.S.+'....I.M]....}*..~fV.y...2.....4..._.mu:.Kh....z<.....S.T.

C:\Users\user\AppData\Local\Temp\Bee

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	7.9961421393381
Encrypted:	true
SSDEEP:	768:oARRwm8z64/B2iay3eIAiS2yOu2kZN7qmgDXBF7PNsJ019kk/pH7cDkJA:pCm8f27y3942dkZN7qmYBxPNsJc1hQkG
MD5:	EA6F73223534C1E0F965521FD8379B6E
SHA1:	309DF2C205956373BE3D46F09C9806AC77AD1BC1
SHA-256:	BFEC273A032E4FB30681CAEF31B7EA466165518E7F5CB917A159F1B1B88D60D8
SHA-512:	2843CD24B337D907D220913E701278764CDD17BDBB8DFB47EE0EBADEF9075F502160E9EB39105C133DFD69EE556C382AD00653D3F565D97B2563E1921DD83AEA
Malicious:	true
Preview:	.n.Y....#..e.........:.#K.....wN...M.......O....Hf..{a(Q.Y\k....Qc...\|...o..7'...g..6..(R.mML..h.>.H...(.}5..h..@..2...8~Me.0...82.u.j+9..z... ...vZE1[.......uI8..aI-.LP.....j.-......C...$V\|.........m....\.M=.&p..@.../o+.X'..=.w..c....'W.2!.{[\.E=.#...q..O..6-.h;.3..te........b...+$..F.....@...5....9.d.B..B'g.z.3@.Z.;.L,,..Cd...Y......zL.l(.H."...<.<0..\|.2&;...Tje..8z9.,D<..k.B..._....F....Ly..E....A.9b..=.....2.J.[...P....4%`U..q.).....;{...g..;.K{.S.....-.x6....y.m;...U..-.....%<.k.q...%c..<....Y)$.S..F....nA...g]9....C..'.<.AL.l.d.yqg.\|......=..:..../.=.nr._v.cWM..y.r7l4...nf...3.T[.....R^..6.r.bn&1^.I....@...^A/.W.._......7h.>..R...w...}1.....5..[.V....3~..Z...2....S.K!q...k.,J..*....UQ.o......)^.w9.....G.6D.....s).....cI:7....7.x.ks.wc4?.!F...5....'y+.ekJ..9.../\...a..O.D.........c'D..:&.....~..Q.R\V'.....n...t.u...my.C...@..$..c#.&7.Gn...L..@.H$~1.&..#.#...S.j...?...~.s...kDjt.vn...9.c.U...Wh..S;.QwD)%.K.q.u...Q...J

C:\Users\user\AppData\Local\Temp\Blessed

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	60416
Entropy (8bit):	6.055961306445814
Encrypted:	false
SSDEEP:	768:FRGrkx3zN3AFR97T98+sDkXLAlMoLVNIo8DJWxWWbP75qcaTlKWzhQVNsbSSkLQl:6YNB3OFTR7bAlHL/4aj5Vf7gJ
MD5:	8C4D5E5B6681D53903F7E43F5E829DB5
SHA1:	DD3F2E0AC13311D57FB75B52099408C0B73CD887
SHA-256:	4F454D31A163E24A0D3881BA15B7AF11677D13AA80A8E46BE391D0261590B084
SHA-512:	EB44871E400A7EB6769B6968BF24FBEACBB81D6D2B39B1A101FFD4E123170348D2298B41638F976A1A840AB17DF1F9A67639B420DA144C8E0EFDE8B4D7C8B479
Malicious:	false
Preview:	..D$.@.D$.;.\|.D$...u..M..D$.P.v...E..@....x..u....6j....t.Q...ff...L$...D.._^3.[..]...3..8...U....SVW.}.....e...M.]..w..].]..].].......x.....v..G..H..*w...E....v..G..H...w......v..O..I...w...E....v..O..I...v...E...v..O..I...v...E....v..O..I...v...E.O..1....s...u..N..u.S.u..u..u..u..1..R.........w...u....!t...>_.F.....3.^[..]...U...u..u.j..z...]...U..E.VW.@....Rv..P..gL...V...u.......s...>3._.F.....^]...U....SV.u.W.....}..F..}.}..}..H...v......rw...~.....w...~....%w...~.....w...~....7w...~..v..F..H...u....~..v..F..H..u.....u..V..u..u.J..u..2SW.u..P...u..P.X...u.......s...>_.F.....3.^[..]...U..V.u.3.W.~..w8.N.j.j.P..j.j..@u..Pj..OT...u.......r...>3._.F.....^]....F..H..>....U...8SV.u.3.W.M..]..F..x........rv..j.X.E...q...O....E.A..E.A..E..A..M.E......E.A..E.A..E..A..E....E...t.....M.E...A...E...uZ.}..E.P....w.......v...~....wF.N.P.E.P...\t..P."S...u.......q..3..>@.F..M...@.._^..[..]....M..@...F..H..H....U..SV.u.3.Wj._.~.....u...~..w%SW..Q...u......\|q...>3._

C:\Users\user\AppData\Local\Temp\Cargo

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	6.691663107764293
Encrypted:	false
SSDEEP:	384:mGJT9CqmVP69SQaei6QzJ17uyevo9rfzzCunpyd3e0cTl3:HRHq6EQ1Q37uyevo9T6un8d3e0cTl3
MD5:	FEDD553B946D1D12BEC2021F12D522EB
SHA1:	B2EA727D3A7D655B813ED01DA1AF4E5AB6B255E4
SHA-256:	DE2A1B87D927F09729E356ECCE33D485FAD1C8AD8B47E079915311AEABDF5150
SHA-512:	4A03B4F729B80CB7D0E22DA7DFA70A96342AFD48924688FE768B90CBC0537F9CAC114A4CD49EE312709351582A175CC3E5B966C4C3C42762B7D4E46712EF657A
Malicious:	false
Preview:	.u....u..@D.t.j.....j.......YY;.t.W....YP..X.I...u...<.I.....3.W.....Y..............IL..D9....t.V....Y.....3._^].U..V.u..F..t .F..t..v...!...f.....3.Y...F..F.^].U..W.}...u..q...................G..........@........t... .G..........G......u.W..S..Y...G....w..w.W..:..YP.0.......G...................G..uQW.:..Y...t0W.:..Y...t$VW.:....W....x:.....Y.......IL.Y^.....K..@.$.<.u..O.. .........u..G..t..G.....u..G........O....A...............G..g....._].U..V.u...u.3..m.E...u..E~..j.^.0.......SW.}...t.9u.r.VWP.:......3..6.u.j.P.. .......u...~..j...9u.s...}..j"^.0.z.......j.X_^].j.h0.K..{..3.].u....u..}.....}.....................;5.QL........................IL...D8....u..F}... ..........;E...@u..,}... ..X}.........uV.(...Y.e......IL..D8..t..u..u.V.a............}..........\|... .....}..E.............(.u..}.V.s...Y..\|......\|.........d........z......U...(.E.SV.u.Wj.Y3..M.}..u.;.u..p\|...8.\|.........O.......0...;..QL...$................M.]....IL..D................v...\|...8.D\|.......

C:\Users\user\AppData\Local\Temp\Chase

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	62464
Entropy (8bit):	7.543408812032519
Encrypted:	false
SSDEEP:	1536:MIqIinTglynkQ3+EX0eomqewgMQjKy6xrnVRCOaD:MIqnnTJkQ3+FnkjKy65nV8R
MD5:	BFAA2C5440703CCE4E53FFFD52AA6B6E
SHA1:	8CA2E6F2E4D99106EDA9593332A66E0D68AEA86C
SHA-256:	CA514C2586DDFACFDCA3F141E45125D13E5E67C8D302335B37345D404A32F335
SHA-512:	3D6714C3094D3A4A4CA642CD4F22245624FFCCDF0FA081CB57C438521FC235F0239A3BCED8DDF0DA5BBDA59FF4C381809584ADC6066FEC16F249DA4DBEE9A9D8
Malicious:	false
Preview:	Ps....$.}..E..B..B.7.\|3r.Cx..l......A...=.6.U....".<.j....}j{=...k..4...3{.~..Nf..<...mI.#.../.d.f.YS...C.C.fb....M....Cb[..;..".....m...n...(.....64p....e.7....8q..Z.D.j..y`...6eG..~.S....;Q...).....};..v...Z..,.vm.Y#...\|..9.)...s.:O2...X.#n" ..0....?..<...011...~..../.C.6...$."..}._.....,.D.v..B....>...?..._..E.0..L..5;9-..=..z.i2.,.-t.+(b.#B.>...b.Ic..d.....@rY.`.....L.p....l..BX........W.t..43...%..K..5..A...k.X..'.....};u.)../..;....4..;-...)0eU..Tr....3e%...R......[........F./.T....P.X\|....%..E.\&.a.._.. .4.......b......]...czz..SS..js.....yQ.....)V.L..&B.Z.l>.u...{.....}.Y.>.S..C.O\|..1...%d.....b....C[.aL.)..l...b.#/D.)xQ.$..D.^K.!.;.....:.f..F.Ym....$...A4...\|A@.)B.`.oW.8.w'n..V..u..e4.-.T.....EcIC..b..]?.8.S.h5.8..xd......^..,Z....R[..s.).d..Ip.y..9+...4.Q....!...........&p.......c..........p6>.9.....$.1.Gp.2.q.TB>...._....l.z....m..g..d....:Ng1D .5`.\...1....0..n..E...dLs.......p7I2.=.?...u.M.$..K"6..[Q...!..~O..,.y..N..y....ql..

C:\Users\user\AppData\Local\Temp\Commercial

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	6.615428616509395
Encrypted:	false
SSDEEP:	768:S+ylIt0su0B4y+aZmzddtw1E1Yd5dArqsfGuYJhLgU:xylIusu0B4MmHtt1OPR
MD5:	EA57BBA9A44829EAEF8DE94A9F319E41
SHA1:	134B24A74937145A83501F1A303122ED85FD323B
SHA-256:	5A4BEBF9B3F9940254D11C700E3A6280D1BA1F5DEC767B3272E8F3B9B7C91765
SHA-512:	D1F4F1578B647B78B53CC036CDB9D24546276D8E562A7584AF01CB730684F57BCB88889666D4C56835963EE7D3F23E2E4292308EE36E3A3EA1DC344FEDDBF8EA
Malicious:	false
Preview:	M.PQ.u.............t...E.......w..$.^.A.jjXf..jpZ...j..E._....._^[..]......f.}.j!Yf+.f..f..(.......E..P.E....p..p...YYj!Yf;.tkf..#tef..%t_f..'tY3.M..t.P.M..Q.u....r..........x....``..jl.h.....Z........F.f;.t.f;E...p.......h...3..3.A.jk.4...jm.-.....A...A.P.A.P.A...A...A.W.A.W.A.U...<SVWjw..U.Y.E......E.....E.....E.....}......v..u...f;...X.........;..........;............e....x........{...e...E..P.E..p..=.....].YY................`...M...........n...b...G..u.U...3.+........d........e....m........o...e...E..;........F...+.r ..........".AB....z...;.r.}........3.@_^[..].....;.........n........*....K....f;E...2_..jwZ..A...Af9.t..u..U...W.u....................@dJ...C.U.jwY.....E...w....E...n...a....._........w0.u..E.;.t..u..G........+...3.@....2.......w..E.....E......u..}.........]..}.....t\|..K.....+......}\|......;..........@dJ...C.Q.....C..<C...@dJ...Cf9........u..u...V.u..........t...G.._..U.jwY.<Gf9.t......3.......C...Cf9.t............w....M..;...+..rc..U..

C:\Users\user\AppData\Local\Temp\Complicated

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.869733776653667
Encrypted:	false
SSDEEP:	384:9xiVnoXM4INduLbbOxidDQxahM2I4kDehJ0IHnHV9:9UGM4INduPbOU+aI4kS9
MD5:	6D9B05A5C2B1B39C8D6881A1A4182AC3
SHA1:	6FBBF80020B4360D77BCF2C16623807FADDC0FFF
SHA-256:	9CB6E352686A2B502B8F99C62EBCFC0DA2E7700DABABA5EF6E19A495B8B45DAF
SHA-512:	983AC84D442DDE1DBBB4133C41C72A175A7FD7C9F8BB3079F4452AEF7D40C4547CCF76A7CE766A735C34A9529835215BD7FE1D40D774E575188C4AC170827791
Malicious:	false
Preview:	......=.{.ss..?VV&....=..#.k~.?[......<.......?vB.....<.6..#M.?...!..<.......?q_.w.#.<.....".?...R..<.......?k.=..C.=...B...?..._...<.u...r.?.y.....=.Dw.b..?.(,x.n.<.<".Q/.?...q.q)=..o\l.?.)...T&=..7a..?....L..<..?\|6..?.......?#.DZ9..?.......?../....?>6)}...?, .,...?......?M......?..x%q..?.. ....?/x.bJ..?.b....?.u....?(Z.....?..t....?{}.2F..?.......?_.2...?>.T.^..?.u.....?.......?4t..d..?...Z...?(......?WI..Y..?...d...?.{.....?\|...:..?..S9...?...s...?.......?....K..??......?l......?.Z.3...?..;E<..?.fSOs..?.J.Q...?.z.L...?...@...?{yK+;..?.j.h..?..F...?-(.....?.n.....?@..F...?....)..?.P..J..?C..Si..?..^....?..B....?i\|e....?.......?......?.a.k...?c......?X.!...?89.l!..?f.h.+..?....3..?)Ao.:..?.1(>..?..2:@..?>.?@@..?"I.r...?6..4...?..@...?.......?765@Z..?.&+-..?w.'....?...Q...?.Gp.t..?.2.&..?X..9..?B..q..?/.?....?v.....?..Mj$..?.3....?.s.....?.b...?V.....?.%..S..?V.....?.%@...?...U>..?2.,.\|..?..m...?V..k..?..9....?.I.@.\|.?..P.3y.?..?}>v.?..H\|As.?#...<p.?._.0.m.?t

C:\Users\user\AppData\Local\Temp\Continental

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	3758
Entropy (8bit):	7.955825944063038
Encrypted:	false
SSDEEP:	96:aruR5jb0WREDgxPm6gy7npbg5/0vWY4L81Igi:a6Pjb0WLvf7nc0vWBSdi
MD5:	E71DC861E5DA1647408163EF3A0A00BE
SHA1:	BF605EC917111BFFAF9C506E7B8BF6A40C57DD18
SHA-256:	F98EDD19223DB87BA0CDE9455D054913741745518AFF17E34E53BC17E7A730EB
SHA-512:	39348B90160C594D7A9CC7F2084FA6FBC8393D7BAFC824F803677576589E18F6257DD3DB601E6DC8FDC1F35AFB5F9115D9C0CAC086B0258A150047947F0CDEB9
Malicious:	false
Preview:	.>.....j# ............'.\<.n.i.3....n..FHK2....OJ...._.8..X32...f...C.R.k..dB..v.......u......."v\|.{g..0.. ...X9.B....T'..h ..0h....-..,..C..p.p7.w...d/.N3m.[Ql...:....>/...q...8..N.....=......Y`.D'E...+1t..(..k8e..~{y..r.=3LestB..T..;.V......CMF...=C77.)..p.T._hW[......!..C..m.y.Y........{...XM..q...;....._....x-s..p5m..R...Uo.\%z...~.h......r......!@.i.-...l.`<...AT..'..........._r =x.%IZ.j^Yo..)...].x4)XO.._.y..2#:V...H.^.TQ....p%z.b..1ly.....z...... qy...,D.q.j..w..@x.......?...(.?\....Wq.}...p.;:..a.3n.....\..\|9.7.6H... .M..C..ou....H.../3.....:.L....I.<..1..G.=b..pGMv-....f......=......K.F......%.......S...c/n/.4..G4..i;.Z...i4....... .....s;z...y..q)....49....P.6c.n......t....I...B....(..nr..!......d.ep..Z.'.4.#...^..u.Ur.....a....B.I%...'..?.<1.\....r%.,..M..Qu.9.K..Ax..o.K.\|A..~... .....2.x%.c.I.....Z.Gm.%zc..A..S..}xh..XsI.. ..t^w.....Y.+.........t.".&...p.,~R....9....v}....bym..."..z..m...5.G....z..`......C.(\|.R.~

C:\Users\user\AppData\Local\Temp\Cunt

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	52224
Entropy (8bit):	6.721792279852187
Encrypted:	false
SSDEEP:	768:pci1Q8I2jNxEte07EWGnikscax2OCkQuG4ypQ9Fsqib9futLZzWaIxyKw7nxZLL:pctpYuYtWGJG2kQyyy9FskzWaIxOvL
MD5:	38C1C76764BB42BD85591EA88523C88F
SHA1:	0FD62ED3B7007DBD9D1F52DCBEFE98F4AFC56109
SHA-256:	D31C36CF0644BD5C6A34E8FD46D659E8B51C16875EDA9C801AA1605C0C7A4806
SHA-512:	B2ABFCDD0176832347EA07CE0C6139EDD5690E809EC720F64F2AC078FF2E142678A235BE224E767E94E736E0577629903A6E8ABF31493121E7B692D92B1952B6
Malicious:	false
Preview:	...Y.F8;...L.t.P.?...Y.F<;...L.t.P.-...Y.F@;...L.t.P.....Y.FD;...L.t.P.....Y.FH;...L.t.P.....Y.FL;...L.t.P.....Y^].U..V.u...tY..;...L.t.P.....Y.F.;...L.t.P....Y.F.;...L.t.P....Y.F0;...L.t.P....Y.F4;...L.t.P.~...Y^].U..V.u.....n....v..c....v..[....v..S....v..K....v..C....v..;....6.4....v .,....v$.$....v(......v,......v0......v4......v.......v8......v<.......@.v@......vD......vH......vL......vP......vT.....vX.....v\.....v`.....vd.....vh.....vl.....vp.....vt.y....vx.q....v\|.i.....@.......[..........P..........E..........:........../..........$..................................................................................................................@...............................................\|..........q..........f..........[..........P..........E..........:........../..........$......................................@................................................................... .........$.........(.........,.........0.........4....\|.....8....q.....<..

C:\Users\user\AppData\Local\Temp\Do

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	118784
Entropy (8bit):	7.998284059375094
Encrypted:	true
SSDEEP:	3072:UMssvV4vNLNY06ZzDJohyv3HhxB0OaNGbH0DAhma2:UMsoV4vNL206ZxoaHv2GbUy+
MD5:	6AB85EADDAF4E2488D9B51A9F28D0D58
SHA1:	C5F7A2698202C7B0E2ECBA62312CA4C8CF73D687
SHA-256:	6C68BD290806A805B8041D8D0E39AA6FFD7A05FA8AC189E9082426D0FD4E0F2B
SHA-512:	584212549B2F5033FBF31D713C61FFB7D08613FDC184664B254B10A0D664F605C5BA08FCAA19361B9D4EA965E7C4A9F0F19C8D5F76743D011BF6A241420BFCE6
Malicious:	true
Preview:	....iD.Zbb8.F...cG..)..D....@#^...}Q.....v...j.Ic.}.k.RG$7u.Lu.....bQ.H......{n._......f:L.....e...z3..z...).6W.+x.K.X'...1Q\....h]..d_......3.B!n0N.;......'vN:."P._.'..3...T.'.....\|;\w..6.E4<...h..o..._OGrl..D..(.l#.tN..e.w.g..a.:.]..v.$.m)....pV.c.V....H..2,..........Ag.\.....}h..S...>+~....r.`.t....B`=..nM2.......r3YTW&...P..q.fK#rO.l.#.h.8.1.eSR{.Z8....3z...\...p'...S;&.H..u9v9..Hw...L...:.6.....#sQ55..d7D....^{<.4i...XYN.$?...f..............'Ov..;r...@....\|..4.N..U.T).vqX..O..z.I?..C.............B...Fj..4.9q%.PHq.@..Orz..fA..F........M...Z..':..pM.".8..u.&z+....K.p.#..3..B.?........j...wE..{.qZ..&'.(`k.D.<w..OBe. ...H=........<......6.f.(8H....f....w.n"..Aa..N..,............v.y..}C...,}.{.0.5.D....@.J.gQ.(...<r.P.x..d.s.b...;..h"!:.4P...^......a4.6....N......;O~...7q2.5.a....../..c...4/.UW$.\|...i..2.M.`.../@...Y>.'.!.uu..Gz.qW.*.7..P..r?P.ZU.....h..".....~..w.....Ob.F.c.W....GW.fL.@....n.6.?..~..W.B...6.T..j-........Y..-w..k....

C:\Users\user\AppData\Local\Temp\Dominant

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	44032
Entropy (8bit):	4.597301189780875
Encrypted:	false
SSDEEP:	384:dFr9LE/MpfhwHLWAkqLyH3Per2Wfn2HuboETcKiKjxq/l1qIvtx4MjNyREfP91uJ:zbAGWrT+UTcL4qHq25NKEHqJ
MD5:	FDB3D14466B9B2387E8B02566C9DB621
SHA1:	70CDBDE0DCE8600F31F3E40368502DE354D844EC
SHA-256:	1687C8DD55450BB3F0394A9281F8E1E0DF3CD099EBCC0CE2F3F7F3BA9168377B
SHA-512:	BA8CE08A439FE7ED38586EEEE80284A920B283719BD8F45A1B5D4358881AFC91AED367D92B86C5641A020F18CB711196D1A41D3EDE7321D6BAFA9CE375CB0C54
Malicious:	false
Preview:	.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.............................................................................................................................................................................................................................................m.m.m.m.m.m.m.m.m.m...............................................................................m.m.........................................................................................................................o...h.h.h.........o.o.o.o.o.................h.h.h.h.h.h.h.h.....h.h.h.h.h.h.h.............................................................h.h.h.h.................................................................................................m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.!.!.!.!.!.!.!.!.!.!.!.!.!

C:\Users\user\AppData\Local\Temp\Dot

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	118784
Entropy (8bit):	7.998424759930466
Encrypted:	true
SSDEEP:	3072:x5elz8x3tO8AYgqFsky9Xw4pSaZIxmkHxF8dGaFbBKSJrt67:x5ehf84xAu8FibB12
MD5:	77995F715C403DCD4CCF89049CF4EC9A
SHA1:	180138BCE5A754377D02BAA150B1A2AA3227AA66
SHA-256:	DF7A9B1DE6C174CA4CB900DE129A6479B7BADFDD6BB38ACDC0B858FA918296CE
SHA-512:	DBC3552BB31FC7B4161B2068536358744ABA5B96F15D37E7713ECAFBD41A57564D3A7FA450848AF132BC8B018F7A0EAB0AF7081660436BBF806F1C997295E499
Malicious:	true
Preview:	....^..... ..8.l...b.......MSF.LHs....?.c(.n...jD..U.g..wg-jJ.YR.B....c49)...N.A$.$.C.....m>...N...@^Z./....g.D.....HR...>..=%.\..Op3Ta.j..f#....M.._..<r....J.b..0..K...eK.G....c..}.....`.......t/_.'..>y^6...p=.g....."2.......N;J-[..:..R...V.g...e!.;H..3....c..~/n.!...{P.;.;..<`...........>.~n..c. ...~.A....~.G.C.K.8..Wl....CF.h.w;.ovH\\{k..V.v.O)...z.L......V.no.[....E.)e.6N.Q.}..W6...p.?.Q...........`.5..Xw..q....!.n`.....{`U.O1.'.@.jS..2...vD. ......R.t.8K....(.11.+(,C.....t7..!......).h.X...u...6.e...`.o(......y..U."...^}<.....O......v!}.6........ .R./.^/B.=;.I].d....v.dQ.:.^.B.7.iuf...._.3.;q......g..K}.......Z....8.W.....te...6...YT..9..<.....).L....l....E.R..Up.q...Xs..E..1,./+W ...5..C-(.P=.?}D.L...f.\....S.0H.~.....p..DZ...W0z....fT.........h..#,...f...+~X...m....j*+8....I.%......pAp`.b...=.)./.s.I.^c./..D....z.....PB..\|....e.<3}E..%.mh._C.QN..b\.....u .........`hr...}n.Bg)ir..J.(....}.#...%.H.W....bK,)o........X

C:\Users\user\AppData\Local\Temp\Essential

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	25295
Entropy (8bit):	7.112591200550005
Encrypted:	false
SSDEEP:	384:RF3XyaqdXE9m/D57OMPJ70YXZg4eVv76AzqmopEitriaIKJ7775i:DiamE9w97OUg4eVDqp8VQ7A
MD5:	F3D2240536D346EDE33EAD541A01507F
SHA1:	92C0AD2A842746EF054AA82EF49B6B7D06D8D3AA
SHA-256:	0632948564C0E8DC58B8F4737800AE39E07D068CB12F1947A13617D1C2ACEEEC
SHA-512:	28C5F0D7166FBACA03BEA92BD3E20E62DB5E50717E1DE049FFC136E29659D9133EE35FBBE61109027B328C62005B1EE53E452338630E1BE9F295D81CA638E600
Malicious:	false
Preview:	7.7.8.8.8!8+82868<8@8F8P8Z8d8n8u8y8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.9.9.9.9#9-979>9B9H9L9R9\9f9p9z9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.:.:.:.:.:.:%:/:9:C:J:N:T:X:^:h:r:\|:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.;.;.;.;.;!;';1;;;E;O;V;Z;`;d;j;t;~;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.<.<.<.<#<)<-<3<=<G<Q<[<b<f<l<p<v<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.=.=.=$=+=/=5=9=?=I=S=]=g=n=r=x=\|=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.>.>.>.>&>0>7>;>A>E>K>U>_>i>s>z>~>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.?.?.?.?.?.?(?2?<?C?G?M?Q?W?a?k?u?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?....l....0.0.0.0.0 0*040>0H0O0S0Y0]0c0m0w0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.1.1"1&1,161@1J1T1[1_1e1i1o1y1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2.2.2$2(2.22282B2L2V2`2g2k2q2u2{2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3.3.3)30343:3>3D3N3X3b3l3s3w3}3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.4.4.4.4!4+454<4@4F4J4P4Z4d4n4x4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.5.5.5.5.5#5-575A5H5L5R5V5\5f5p5z5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.6.6.6.6.6.6%6/696C6M6T6X6^6b

C:\Users\user\AppData\Local\Temp\Expenses

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	5.132172688294856
Encrypted:	false
SSDEEP:	768:4EusWjcdeDvFQC7VkrHpluuxdCvEHKKgItUHiGx:vusWjcdmQuklluhvEHKxiy
MD5:	BD04D29E806BE650CAC9DA9DB66902F6
SHA1:	3CC3A75B14D6C604C50794C68E42EB3698BB653B
SHA-256:	AFCAE4CED560841B02A0A2464581214E2F7CA95D1617F690E5D2CF905C7AB1AD
SHA-512:	5CC1345A86CC9977EFAC824AFA4AF33C8DD447ED2401C09A3819A3F672C69F1B7A26013DB8F1D1D81036562CD267ED7212732FD8A64F0D855099FA49C72D44AD
Malicious:	false
Preview:	.....J.@.....J.A.....J.C.....J.D.....J.F.....J.G.....J.I.....J.J.....J.K.....J.N.....J.O.....J.P.....J.V.....J.W.....J.Z... .J.e...(.J.......I.....0.J.....<.J.....H.J.....X?I.....T.J.....`.J.....l.J.....x.J......BI.......J.......J.......J.......J.......J.......J.....4?I.....L?I.......J.......J.......J.......J.......J.......J.......J..... .J.....,.J.....8.J.....D.J.....P.J. ...\.J.!...h.J."...t.J.#.....J.$.....J.%.....J.&.....J.'.....J.).....J.*.....J.+.....J.,.....J.-.....J./.....J.2.....J.4.....J.5...(.J.6...4.J.7...@.J.8...L.J.9...X.J.:...d.J.;...p.J.>...\|.J.?.....J.@.....J.A.....J.C.....J.D.....J.E.....J.F.....J.G.....J.I.....J.J.....J.K.....J.L.....J.N...$.J.O...0.J.P...<.J.R...H.J.V...T.J.W...`.J.Z...p.J.e.....J.k.....J.l.....J.......J.......J.....@?I.......J.......J.......J.......J.......J.......J.......J.......J.....$.J.....<.J.,...H.J.;...`.J.>...l.J.C...x.J.k.....J.......J.......J.......J.......J.......J.......J.......J.;.....J.k.....J.......J.....(.J.....4.J.....@.J.....L.J..

C:\Users\user\AppData\Local\Temp\Extreme

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	190464
Entropy (8bit):	7.9990724050012325
Encrypted:	true
SSDEEP:	3072:4m4T2qLQzq0juJ6g+ClJcja2WANwIgN8kVfH4eaieaF0A0FLT0j8ZDxdo338K8Y/:4m48q0juJB7c1bSISTVon5A0LbDxK38+
MD5:	BBAE7BC5EDA50F036B04EC89345013FE
SHA1:	6E66CB41EE031A56EE9F26A9E5CB3BFE2A3E8506
SHA-256:	0E4B895452432EA52A607215126635ABD4C4D1C3000514ECF469AD436A3386B0
SHA-512:	EB4B571A7EDF6315F0AC2C1D8D82B9CB6E69E11CDBD27D6002906F0C3A2EC46AF853440BFA73947D0C6BE2079ECBD0F9458A67B9716176718EF4261DE93FA4E1
Malicious:	true
Preview:	.."^:...W....}...b..rr.lq...0..0...$.7.8......;.....s...K0Oiyn9i;he,....^.2{n.........YeT.kV.......o ....k.9.;...f..r>R.v.\|.....EW.X.....~M..K..Mf1@.PN...s#....2e.....H...a.......Y.}.....L.9..j&.F...dYa}tKV...X....2"..V.U.z...%.......[..S.i....U.V.1Q..\|.=..O.......F^.n.Ia......i_..N%uIW...x...V.]..-..}H....w....K@Y.)..?M...g4I.\|..6\|u$BR.l.1GY.9x:-....o%...........e...<@s...e~....IY..^..$$....{...........2..xo...I.%g..jE..z....,.WQm..o.w.,s...%......)Dy..'.k-...a.9..o....F..+...E..M.GpV.Mh.L..T#hsmZ.C<.}v.3...ft..s.....^O....u....P..d....C..^.....>C........A.uX.W.W`.f.....7...]....Kb....b5..s.....q....4E9g..8..?.g;}.......e~.4.y;..mg. ....B.).....+,...>z.....esF.u...6.......!.>.:..K,.X..Aa.a9U.I: R$m.....L....Z..`..1..$.R*(..8.+l.=.r...Y..V..........W..2...`.Oeb.py...c..b.b.q$.f.G........L.@r;6w.=.A.f......AeF.>6./.a%g#.E.(....E...a$...MU.o:hC..Wzmj,.....\|....]n.:n.J[$_....E...\|C.F.5..P..T.C...:...W.6..tZ...C..r.ON}s...{.E....i".\|.j..

C:\Users\user\AppData\Local\Temp\Gnome

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	25600
Entropy (8bit):	7.993076022465265
Encrypted:	true
SSDEEP:	768:6yZJ0JLh1lQp/AFNe6HB69aOvWb7ySab4:ZELhnQp/ADB69aZ7ySY4
MD5:	0D9D0CCE12A847CEAC006649D0CF553A
SHA1:	8E8DF91ECFE20E2B3B879B912489103AA48A6B01
SHA-256:	988AAB32EF469675E795EC46BCBF1AFB45313DF9E6C064D6351CA9CDF23B82AA
SHA-512:	6EB96CE9636D7548FFBDC66545AE57EA079B661D11594C0861C4131389829AAE25BF9A05F32959F508ECB6ADE31AC3940A54A63E3851881937756CB739D9FB15
Malicious:	true
Preview:	.A.'....C..!...+.bw....o.r~.$.p4...B\.t.j....nh.zr..i.v.......n...Co..V.ru.~.$....9wr%.IXw.......8...~...L5)...A.....rm.3.t6=~.0.k.....c.......J....R.Y...\|....Yw.........w...O~..9....v......t..<.d:`.....K..R}....-....T."...T..o..\|.n..L..q..9...~...vw...4{.c-....l..d.4.=[...=...=0U......h..".L:.7...x.kw..f"..._.<.I.l._...".-6...x....'2...X<....8 ...i...........!H+./.0.J...........O..N.bGan..E......E...?...'.B.S.m.P.8w}....-.X(...w.Z.i........d.J.u9.p...yc.x`.$.,.{q.F..~b.I...<.z.u...&H....vhf.RuL.Y.nx.v.......]F..E.."..t.{.:.<X.A...IzX........M..-....7.5.....M...-.g........F.m.].v`./..W...(...ow4....j.*.}....._....Z.1.z.....[.h...\s$.6.ZlF.!.....{..@j..........\dS`.q....`......H@..>..Xd.o.z1I(.co._...b.8K.).s.X./cG.%.9g.....L~\...^M4.=..w.%..k.\|.D..n.l.,`.........ul<...n2....N.e.b.Xu.......(.'.....`mn.../y............u.@4\|.).)2.-....-.+..JG.@....g.E....M.FbH....D...3w....K\lyO$../..\2..2+........E....-....9....+.i&+;.......OI

C:\Users\user\AppData\Local\Temp\Halloween

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	2.5460981119251183
Encrypted:	false
SSDEEP:	192:/A48PQh+NEpCarucTE6QZSSYA13KcqIb/rvOLHYBa1Q319sx9kaxCVt:/3pMygarucTQ0Snh3HvOLw/319stEP
MD5:	9652AD34F2C8F89FB8C7B44CF5432ACB
SHA1:	490AE667C1107418F58671AAA1B7EC2984826966
SHA-256:	00FAE750349334CB1A1568976EB68C8E3AD1BE18C9583EA8493EE8BF42D6E799
SHA-512:	632BA57B60BB60399CE59D8B5CE46549C79216ABA9FCA9B951366234AE809C3090F31C23755B8B41E98851F88DDD59E9306B09C4B501F9252641F5BDA1E332D6
Malicious:	false
Preview:	y..3.PeekMessageW....TranslateMessage....DispatchMessageW....LockWindowUpdate..].GetMessageW...BlockInput..&.OpenClipboard...IsClipboardFormatAvailable....GetClipboardData..I.CloseClipboard..V.CountClipboardFormats...EmptyClipboard....SetClipboardData....SetRect...AdjustWindowRectEx..T.CopyImage...SetWindowPos....GetCursorInfo.V.RegisterHotKey..G.ClientToScreen..A.GetKeyboardLayoutNameW....IsCharAlphaW....IsCharAlphaNumericW...IsCharLowerW....IsCharUpperW..X.GetMenuStringW..z.GetSubMenu....GetCaretPos...IsZoomed....MonitorFromPoint.._.GetMonitorInfoW...SetWindowLongW....SetLayeredWindowAttributes....FlashWindow...GetClassLongW...TranslateAcceleratorW...IsDialogMessageW..{.GetSysColor...InflateRect...DrawFocusRect...DrawTextW...FrameRect...DrawFrameControl....FillRect..@.PtInRect....DestroyAcceleratorTable.X.CreateAcceleratorTableW...SetCursor...GetWindowDC.~.GetSystemMetrics....GetActiveWindow.1.CharNextW.3.wsprintfW.J.RedrawWindow....DrawMenuBar...DestroyMenu...SetMenu...GetWindowText

C:\Users\user\AppData\Local\Temp\Hdtv

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	6.6424670756329
Encrypted:	false
SSDEEP:	384:0cgT2k9eZM0/1zbE1PJcF8ufnpZ9aBXYrxzDZJgs/ZN/EyFpdf:EF9OR7F8ufnz4kVDZxj/z
MD5:	1913A68E92C714BEB7BE51AFE0181551
SHA1:	F70635B43C6DA3A1FE1035BC7E8DE3F31CBDBFA4
SHA-256:	29FCD2B344F47F918B77848BA0060E479DF490098F6176DED49A963D6993A831
SHA-512:	830A6379726DF38D974E6D7BF005C683DE903D8454037EA417B79E144347CA635B0C66C97D20E409AA49C15A8BB4B8D128EE9CFD66DC174683993A2F44E11BB9
Malicious:	false
Preview:	..D$.^_..$....W...................te..$.....f.o.f.oN.f.oV f.o^0f...f..O.f..W f.._0f.of@f.onPf.ov`f.o~pf..g@f..oPf..w`f...p............Ju...tO.......t.......f.o.f....v....Ju...t*.....t......v....Iu....t.....FGIu.......X^_..$.............+.+.Q.....t.....FGIu....t......v....Hu.Y.....U..U.. .K...M.#.#M.... .K.]... ....t.j...!..Y.. .K..t!j.../....t.j.Y.)j.h...@j.........j......U..E...AL.].U..E....>I....A....A..]...U..V.u...f.....>I..F.........^]......>I.....U..VW.}...;.t.........t..w....5......G..F._..^]...U..V.....>I..R....E..t.V.....Y..^]...U..}..S..t-W.u.......x.W.....C.YY..t..u.WP.M.......C.._[]...V..~..t..v.....Y.f...F..^.A...u...>I..U... VWj.Y..>I..}..u..}...t....t......Q...p..P .}..u...t....t..E..@...E.P.u..u..u...@.I._^..]...Q.. ?I..g...Y.U..V........E..t.V.....Y..^]...U..%.AL.....S3.C..$.K.j..!-......L...3...AL.3...V.5$.K.W.}......_..O..W..E.M..E..ineI.E.5ntel.5$.K...E.5Genu....j...X..j.Y....._..O..W..M.M.tC.E.%.?..=....t#=`...t.=p...t.=P...t.=`...

C:\Users\user\AppData\Local\Temp\Janet

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	116
Entropy (8bit):	3.734931856152107
Encrypted:	false
SSDEEP:	3:qlGNAWGXWUqt/vllpfrYZcFTSn:qlGNqqjvVS
MD5:	2C945420550DD733DA1CBEB5B916BDAB
SHA1:	DE7494411ED73CF0EF4E2903C83D4B92B77844DF
SHA-256:	26644B77E9285FC0A576CF201E463C9D250B661684CF22181FFBFC184B07E600
SHA-512:	D6A480D2254ED021161E9C7CEE50BC3C027965BCC84CB4F22E70C07D2ED30CC8B94E07832A3A9E155943D5F0E9F56AFAFAD6A1354C38DF26014A34E583095C1D
Malicious:	false
Preview:	IndieBeachesHonIo..MZ......................@...............................................!..L.!This program cannot

C:\Users\user\AppData\Local\Temp\Melissa

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	64512
Entropy (8bit):	6.51096578838961
Encrypted:	false
SSDEEP:	768:JCVKSb279sAOOWNMZmwfHh17McqQHEdQ7iwDIUKo+jBAfe6TtgguvkFec+jJ5PZY:sKS+9sAO+kdIlDbKffUCJ5h3Fsoe1
MD5:	BF8E0B3D851E05FEF6EA842DCC841C72
SHA1:	A8D5EC0871E37297B0E1E0D5C259002D9AD45FAD
SHA-256:	C2DB74B48A22B63342927538CB385BBA0F118AD2079F0AB97DD080A0FA0E18D2
SHA-512:	F78E3CF5954BCE9000EC94F6B109BA67A4C0949540888A8ECAB3F5E0719F9D70FF54CF3B06A3E80694CC15988712392CCD5FDCF989FD984FF4F647D0022616FA
Malicious:	false
Preview:	t$4.*...D$.P.L$$.....Q.D$$P...H....f....L$ ......L$...X.....D$0.t...j.j..H....%8.._^3.[..]...U..E.Vj...@..0.E.P.L5....t!.......E.......@..0....I.....E....E...u..M......3.^]...U.......VW...L$...L...E..@..0........F....u......t..L$.QP.)......j.j..H.......M..D$.P.....L$..<W.._3.^..]...U..QSV.u.W...F....x..u{j8.tI..Y..t....Ix......3.~....@..r..F..H..a..........#..F..0...X...........W.v..Wx....uC..t.Q....y...u..........F......^j.P.E.P..4....t.......E.......X....u...u......v....E..F......>.@....x..u....g\|....t.Q...x.._^3.[..]...U....SVW.}...G..0......V....E..B..E.B..E..B..E.......v..G..H..e......u..U.....:...U.....B..<.u..M..E.P.M....'.G..0...:....v..M..4.....j.j..H.........M..U.._^3.[..]...U..E.SVW.@.3.S...0.E.P..2....t/.......E..u........@..x..X..T....F......>.^.. ..3.SGW.H.......u....+....~..._^3.[]...U....SVW.}...G..0...z....V....E..B..E.B..E..B..E.......v..G..H..A......u..U....9...U........t..E.P....j.j..H.........G..0........v..M.......M..zT.._^3.[..]...U.

C:\Users\user\AppData\Local\Temp\Opposite

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	7.949317212073021
Encrypted:	false
SSDEEP:	96:brMS4pyEE2ZGhPqHpwACnMRj0PN1j1N+F5YknLe2OiqqaiEtBHmhyG57P+sz99Na:nMtpyLizHpkmjov1N+F53LeEqliEihyR
MD5:	8D21C3EA1B0ABA73ADC96A2D27387006
SHA1:	2F72F5E84BBB06FB46DBF3112F460B323FC53C39
SHA-256:	71BC9ABD9429B631A2CC6274163C6FB74CE5F1B63ED31BF490610CD6B89096EB
SHA-512:	558F978562C791374FF6EE6E97FAB6D2256E3A9AD404A7B976923AC5A06C98A269DD056A8E501E2874BA1398DFE266B1A8B8F4B5DF04138AFF8EC021BAB0997D
Malicious:	false
Preview:	.D.-.hB#)IFUy.\|.D....i.....-.?.&.B..u....7......V..9.Ia..0;}.{v..n..333(.Kh.Z.Z....C...BX....y........4fgg..bz......`...2.+.....Q\..k..=W`....T,b6?.Z..).t.....-a.j#/j..\H;j.UmaN....fhk.XD...{......Rb...&.W[G..........3....$2.;..-.nM4....D s.P3....;..6...(e..oE.J.b.....$?%..K.UA..\....x..NI...m..K..E.^.7...a.!....a.Z..F;..z.....Q. ..>,.G.As...E.[.m;....&.......f...R.)..^.%h&....?.....Y...r..f..b.9.>).$..(.\...?....R.{...O>.M.]....\..!...D.........>..'.k....y..E4y.r7xj..\..C... .5..l.oA."0..5.ty.y..... ...c+``M&m".......).;>@......Q.J....g...u..C.L#.j".-.1sC.L-.B..s.vC.."........@.T..........#G.....l...Lc...>)..Rh.Z..d..ut..0.+.........B.....`]m..l7.,.... .S=.h...\.E....?z?V.w.........V6.'P..9..$<...f.%/?K.M.....:..:...x.k.x'.{......8B.....f2.X..W......p..A....Jet:F.../.&...a.Nd....w>.......P.~".Q..Q......_?~/....5..\..:l.S.[........B/..!).'q.......~u..wH2......P... ..o..\....C.-.$x,..\|u.v..N........c.=.L....B.R.\|{dd..._.jY4E".a.J.bL..r"";R.3.

C:\Users\user\AppData\Local\Temp\Petersburg

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	52224
Entropy (8bit):	6.4863989319677335
Encrypted:	false
SSDEEP:	1536:DbgjQWq8GV3jOTJh1Xl2ub2tBOjAeKmCa:IjQWbt12uitEfCa
MD5:	607C3904C82E7B1C23AF8658A8C36879
SHA1:	C07034D3195A5AF40F873543ED364C03E2C6BD8A
SHA-256:	37BB7E0721A0F992E2CC008C4BDDDDA9AA73EF2E438E974BB3A33F9015555B04
SHA-512:	7274AF382D9750987C66F368DF346B26D8428012CA31D4173D67EBE70073203569C5BB0B8C0A0BB5ECAE3B2ADB42B780308647C520E643A6EF3D2E7AA961AB2A
Malicious:	false
Preview:	be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR..........................PE..L...y..U.........."..............................@.................................w.....@...@.......@.....................L...\|....................8..0....0...q...;..............................@X..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...............................@..@.reloc...q...0...r..................@..B.........................................................................................................................................................................................................................................................................................................DQL......h..C.....Y...L..h.C..{...Y..N..h.C..j...Y.h.C..^...Y..<C..

C:\Users\user\AppData\Local\Temp\Praise

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	183296
Entropy (8bit):	7.999075076566574
Encrypted:	true
SSDEEP:	3072:6n4bAXdCwpO/3cjnBWjcdX3oyGmTUYGLx9tJsiqn3u6iDwqLulIc:623wMUWj0noUoYGTtJsY6IwqLmt
MD5:	8CFC772B95154EB054B7CBDE050D920A
SHA1:	0DDE0C723029D96E07D822BE17DD82D3FD9C3E05
SHA-256:	4C207BC921E0DF2C5666025F1C68495A83730E6BF87162BF970CF87654F34E73
SHA-512:	3968EEECFB07D2346BDFAE0CE85EA36DE6B0D48D3D6A156DA99F0E7ED0BAFC3069F0D99AC85744DB6DA11E3CB5E3041B9714D8F6A5AABC7DC2B2A231CDEE68FF
Malicious:	true
Preview:	....~....u.,F......j.. ....B4q.......b^..{.o..C..f.>....j.+....Y@.Q.oQN..mp..x....:#.,.4.#.7..`..z.\|+...3.8...AK.=q.5y.j.\..YV..D5v.:.m."....+y].........:..`....J.cOC.'.n.0..f...mK....h.....?..df..J....U..}..W.zl......1.3..?X....g?;.Y......%..fa~o.S..d..%.....);0.Z.7.}}.P..(`.lE7...dr.M.]..G.#...g..8<...>[.[.......eR./..om..L.1ef..>.D4.......).L... .....v...J .l...W.T.I..R.&..U...Vg.c"&.o.P..Rr....u.+.~.e..c.E....x.&^h.....-......;..g....Ze....+tN@..\|.Oc\..V...W_.B..A.U.....?.z.vy.h.q?..\|....h ..,.jm<...w.R..."R...E.....<.........e......)..t.c.QwmT....Q..!...3rE.V.z...?0.rmK.*.FN[.x......i\/.....wtIc.]....p....X~f.. '2.z...?.#.j..:..Z....X=4.Ela.W(.WM...T....l.0.B....Ee.EE.......#5F..D!..~.u....Lb...;.F....H.5.d.e...#\|..\|....~'.m...7.SD..H..~..}G...k(..Q&..G.#".{se.~...~.)7I./7u..F..5w.,&..9.....y.z...T3...ok..]..../U.R..WE.e.D...eKp..r..N....e!.H..#)(T..._0\|.^TP3.1..9-sC..<..mD.../.<"...b..%.WEZlS..5....%Q\|.j...?$.....)...M..R8

C:\Users\user\AppData\Local\Temp\Predict

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	84992
Entropy (8bit):	7.9979204582388554
Encrypted:	true
SSDEEP:	1536:XNQfGZCctJRGaHojcxXuch1kmlVbj75pC5fNTttGn+xaLag/4SSg9CBAO7BN:XNQfaCnGblVb5pC5FTD1DSiPBN
MD5:	811A409C0330A7D3BE0D9A875B11063D
SHA1:	2A640DC241AADE79E210FD5F3D78F91EE211D3D9
SHA-256:	20A77AEB36059F6D2B678CF960ABB0C769E9DCC224777AF407745623786AF34E
SHA-512:	5852F7F8BF504FF9B9782F37171672E31442D2E0D8E31CDEF489198312B701FB57AC5B5A68976B36CF551878551B91EEB9D5CAD72A14E5BE78892DE9A185C39E
Malicious:	true
Preview:	...+...JPpb.$'..c.x.......K...rX+..O.{.].1K...O.wb.Q.Pz.E....Fa...A..l...Z...&..-?h}I.^.."...q.......gd?...i..B...E.rW..Q.?Q/.k.!.....J.$i.}..ed.?...S..o..#.`.....dE+...f.....m.n...&...b..K.(w1.&.'..y.....Hy./9x....A..J.....w...r.k..W.......P.g5NP.Isn..n^...n}......Z..c....5..Q..Dy._r+..z..$t.sNJ...v..w.g...'.q.r..m>..t..=.i.Z....>.H.....J.M.Q.ZY=.J2.."[....(6../.7.[V^..q5..3......h..(X.d.=..j6......k.V....7..T...f).6.6.Nk..=..{'.Y......E....>~....$.W..]@..).{;.@....S..,.}ZP/4J:.&E./=T.O/..8!.t?/c.....Qz....W.ERhf....`.b2M.,#a..N.M~.`..u...bt..W..7A{.xr...[...S..&........)..m.:.>-`G'.`.(.\.=.....Y.....i]1.s.z....E...D.N..\|K....{..f....-\..n..;...U.0.,u.....F..p..:?:.O..&..........v..S..0..[..cX...N..x+bD[.....g..\|Rv>......3....;....Bk.@v.8.....c...`..VF$Q......'..E.....C.W.s,..J..\|5..Q.B...L....X...Z.....\..xh..Pv.>)....n.&{s....w....y.....0.c..E......wT.!.......O..H....K...t\|.OW.....F..&...r..C.V".....C]...z..L..l=:.....wX[~

C:\Users\user\AppData\Local\Temp\Prisoners

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	6.7074396642151095
Encrypted:	false
SSDEEP:	1536:+hrNCsGJh5yA05E22VelTXzSj9xb7XDh1RlyxcZqvinN8Psp:UlAYrlTGj91DhrlyU8Psp
MD5:	EF5D0F587FDA43EB514F8BABD4D15169
SHA1:	32571BDFC0455C7546C15EBAA15A356261608C14
SHA-256:	6F1377F3B21DEEB200AA841CE0989C3906806FEF7FA259551E266ADDF2BB4F1B
SHA-512:	27B3C447105042A882F30AE1740878E75192C6745F7EA8532EE33D5014B61038C782A98F9D9DE99B2BF8D4CB7D648ED69BC5E0F8E6DDF209E39B6A3EB85D82CD
Malicious:	false
Preview:	Y%...&...........&...FD......;%...n&..........%...FD.......%...P&..........D&...FD.......$...2&...........$...FD.......$....&..;~\|...&...~.....&...~.....%....F4;....%...Fh.............s.....%......o....U.;U....$...N\|;........E...uT.V...t.j..F.PQ..............S$...,.V....+.;.w f..f;F4u......3$..f.G.f;F6..%$...E.U....................$...D..............;~\|.......~.........~..........F4;........Fh........................w4t......t....A.......#...2;~\|..]...f.?...S.......K.........t............g#...~l...]#...%.........w<..J#........w...<#.......3#.... ..#................#........._ ..w/...#..... ........... ....."..../ .....".........0....."............w<............w...}........t..... ..."...f............"...U....._ ..w/..G...... ....n"..... ..../...../ ....V"..........0....E".............w...2"................ ".........( ..........) .....".............w........A.......!..................!...................FD.......!...}.........!...FD.......!...b......wZ.FD.......!...K........r

C:\Users\user\AppData\Local\Temp\Purchasing

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	6.384020949103289
Encrypted:	false
SSDEEP:	48:/AIpWg0ePfzMINl36LKuPzZiQYFgBAmFmL+MPlVhKLyvq5UsNhRRiG+Ed01Tb/Kn:/AIpWgLDlK+QOGmLvjKLjvrMWuSn
MD5:	04FB74262BA54E88BB3840683EA42B4B
SHA1:	E6E10DE4005C0E849A2A6D453EF924ED5329D6F9
SHA-256:	61EE1B23621D1BC7735FBFCAED30513572B7BE9FB4ACB2C58B457A58C84FDFE3
SHA-512:	9BC1FCA8E1044A41AD46EFD69B576A75ACA2D1BCB9584F9D86FC1E3CF5C27DDD996ABDA7BE53CDF4E4AC029B46DCB8BA25B58BE6F75B36EB9A9D8A908E4B1EE0
Malicious:	false
Preview:	.......O....E..A..E.A..E..A..M..E........3.......WWWWWh....P.u.....I..M...t.......P......h..I.......Wj..H....B....M...k..V....I._^3.[..]...U.......i..SVWj.......I....E..@..8........O....E.A..E..A..E.A..M.E....J...3..E.WWWWPh..........P.u.....I...t(.u.......h..K.P....M..........P........M.h..I........Wj..H....r....M...k..V....I._^3.[..]...U...$SVWj..M.....I..]...h..I.......}.3.@.E.9G.v..G..H..-....E....\|....~.3.@.E..G..8........O.h.K....E.A..E..A..E.A..M.E.....g...}..O.........t&h..K..M..f...G..8.......w..M..ee...!.M.......E.P.M..Oe..hL,I..M..`...E.3.G;.u_.u.....I.;...-...HHt@Ht3Ht&Ht...Ht.h..K......ht.K......hh.K......hX.K......hL.K......h8.K.........u4.M......=.@..u..M....=.@................h..K...............M.U..m............E...........$...F.h..K..gh..K..`h..K..Yh..K..Rh..K..Kh.K..Dh.K..=h.K..6h.K../h.K..(h..K..!h..K...h..K...h..K...h .K...h0.K.........U.j.W...H.... ....M..h...M..h..V....I._^3.[..].....o.F.v.F.}.F...F...F...F...F...F...F...F...F..

C:\Users\user\AppData\Local\Temp\Random

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	7.996212600007831
Encrypted:	true
SSDEEP:	768:7JcWhMk7BOO8ar14ic9pB61Ojk76FVcxja/ezOKLsSMjgHn6Ri6WqVZL5:1DZ58ar14hpB4cYNjEezjMjtpZ1
MD5:	EEA1443F1AD775ED4990D11CE441C1CB
SHA1:	64E5FA0D813BFA915ACBD173293B905462555982
SHA-256:	8DD12A82DB96E3ECD8D4E85386CB19493BE3C8AC923FF2D144EF9E73FE7CA63D
SHA-512:	E84C3C39333F02C35970CCD2B954CE305E2574E98E290AF350A45E4CA59CBBC294E6F640DB656A0AADA5058BCF9977B45E63D11414999CE1F50405D359A62712
Malicious:	true
Preview:	.S....j..Z....E....dB...7..PP.....u....g...-.E..z.......2x :.8.,....U.3.&U...=\|.,dFP.(..3.g.[W.EH....c.%J......L.'.......$Z...#Pj.=F.4..H...!D.......31..>_.i.f.=A).k1..a...'}.8M..R.R..J..rX(.].........;....G6`....lE..).Z.[.[K.q~....a>.5..X..F{............j..z...I...'..".....X.y....L.Q....Q.M.R...O.zt.s....\1...&..>K...:..dS..h.w......P....W}o.j..e.3OBu.#fU.....J...S.Ya.U....(l.oz......o.D.ks.?...j....WR%3.bn.`..1..D.....Gf..1Q(..I..\.g..S.Ek..;.8y.<..a._.`..Vw)\...T.;.m...:.?.h.......0.%.^.x...s.V;.5g#.......p]..j.v...d.r.5.A........zx.+..h!...6..d.[..F....D..I4./....}"......*....D.14_Bk..l.JS.s.k...c../..d.O..n.S.g....m.=.1o,.^.......\..I........XS=,Fs......E....A.........C!.4v..q..C....$g..8....a.......y0..8JL\|.m{.l..kn#%=...9Or{08Q0k./q..y..w..L...........k\|\|`9...5........`u,8.lE....\......8.j.\O.j...p.W..%.j..aS...j.n..b=r3..G....=^.....vMh3....2s..2]A.V.e=..8..s..ul.....qS..RWO...:Z...t=UY..nd...%'.U..<).R..2l..h........

C:\Users\user\AppData\Local\Temp\Ready

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	112640
Entropy (8bit):	7.998333373356418
Encrypted:	true
SSDEEP:	1536:KsIohecAshkIib9vqcUU4hqHKzevahi/TQwFGBaIKL9Bu41wn13y/t98:5IonYI2FnoDzsmidFOYwcww/tK
MD5:	4E9081732E202A22ACD90381851D9893
SHA1:	F6642F946022D285D00A060884DF82C0D7311826
SHA-256:	2141F590F3B3997D77957E11EA595342D3B0B4389C3908F5C6EC895C71D29BBA
SHA-512:	04DFA8270D99F40B6F0E77249CB01C20A8055752C6CFFF92B917DF57BB45F93897BE3581F5EA449C0112A36EB28B029C0FDBF1D5387BE35B824F904B2115B99E
Malicious:	true
Preview:	.S....Ms...s.I...z.i.~.....+...X.7#..U.8.........`..[.. .\|....ZR@fg..S}.C.H..=..d...5.>..c..d.O..a...Al9........`#q.........../..C.w..US.K._X.......j....!;....~9..7kW....2\....rQ."YsR.[......\|......./#"&...!....z..D.s...ho7.i:.:K..D...9q.F].s.j.0.M.4]...._.J.?.x..-xw.!......:...,....8...`.b..D..[...T.taneG"N...b..o.0..\4..J...Z. ....T...7Y..:.....:.3.....a.$.....R.e...O2sh.b:.s...~.^.9.vO.....HyHK1..eS.T..X.....$V.{.p}.tM.k}..SgO.......XV..d ..._j.....(..4... C..$.j....G...Q.6`..o)......uO......p6.v..`}@_.6..5........8.....Nh..%).Yo9...M.\k..r.k......,..b...e..g..?.~..q-.+.3..C....%h}Z....E":..c...B..%..A.AH]....,.".A;.T..._.....C...3.F.3N4.r.4.r.._.....=(..K..x.Q>...=}J\|.]..]XS..Y.\|..+Ak2~+]5..IU!.k.7=+...'.b.....P.....].Q..r..=8a..........mN..Z..{X.W/{].b.RX.T....#J..EN..x.3@].....\....a..8......:.J.....a.B..i..r.....+.D.b*.'....A]Jk.&.Ft..A..p.......u..."/k.8.....f.....)M..\|mx..[.W#..J8.3..;OU..#0."o..MbtL.0g..?(.[#.3r........)...o......

C:\Users\user\AppData\Local\Temp\Sandra

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	177152
Entropy (8bit):	7.998915606396731
Encrypted:	true
SSDEEP:	3072:Lp9ECwwQ5Scftgx1UptEL6x/J4CFdREwiaUlwH6urzqjmSbXwD+xI7pZi/aiOQyd:F9ECYQcfGxdL2hvBLib+jP2mx+xIVZiQ
MD5:	E9FCB097F449D3B71F42E4E586902779
SHA1:	F27392A528F3CAA678740341C86081F503635279
SHA-256:	985BD2B13C45EDAC103450C77BCF1B6A1681E05B85D659B018D94C3CD1D39406
SHA-512:	3B0C88D55E7584B64B113A8AB41D97B300384D97C6625B206CAF1223676CE573E6360B00452BD3C048735EABF6CDDEAD6CA23EC4FD50F89F1517C00C26DF735C
Malicious:	true
Preview:	A.>..8..5.;.S....h^."..zL.rV...,......2..zZ..j.:+.m....Ue..cZ...Y.W.w.).R......V*.I. K......o...@"......;....B....qty\tc........z..D-......-..:.v@.<....L>.Z.K.....a...P.L...).CT}..Dy.s,E.....('c.....3.1.1D .-....5...._QYL%.p...).f$0,...`..;.N5.........cd..L...M..`^\..D.%..Be.u.8..dXC.....r......H...IQv$..-Y....Na+.f..9..r....M..>..jxm....%w...J.e....}N.o....,S..T.A.[W.0..B.}....a7.v.=..s VJ..F.,.y...,.....0.....0..k...kF..k..q.... .#C.~.>[\/......^Q..../0......u.1H%.F..b.U.......IR.,,.......3b?...........O.....=.{tuI8....e..o....l./&.............V.....e5s..X.9..->...P...q...X..a..=.`eq@(..]..I.\.$...DI../.......#h_y.Y.Y....?..o.h.......7\|..........K..dP...B..... ...'Qa..I...qh...\|..h ....s.k.C[.+B..c..25._......SG.N5...i.P.M...G........Z-%...._}....t....aw.b...'....y.K.....t. .l.qC...'...T`I........=s...FZ\|N..W....798!./..d.J...sI.S~..O.e..~&..d....vJYoZTi~5K..#....#VQ...!5%:........Zu......g.\|.u;z...{b...,...F.uIbg`.3V +...r.-.(....m

C:\Users\user\AppData\Local\Temp\Shannon

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	7.994699151513296
Encrypted:	true
SSDEEP:	768:SyEpuCH3rhBRYkeGk1eQAIgIe3KSMZGmMET6Gd2kg+x:vEpuCXVMkeGWeQAIBeKSMAWzg+x
MD5:	BB5E95A0788AB31A449E282507BC4A5B
SHA1:	5D0E01D3D9512DD9BEEE9B49EE3A8025107282AC
SHA-256:	25C7555CBD64F1C8272E2F8DF17243B60AEEB96E0B3A574D8CF78BA393CE0B88
SHA-512:	7D99BB9950F9B5B87D140C98EF6F81FA285F898325C14D296CD929126D327A6D2D3EDFF7BC034C265317B5BBB9BB54AEF51CE94DDD6E45F6A425A0FF5A8F74F6
Malicious:	true
Preview:	e..F&qS...5.]......1...h...o..T.5...Q.........$c.T?n.<...`-........(.kpr..2+)...'...L.i.;.+..#`$?...j..`....\|^I..2[..F...6L.b#....$..}bQPY).#...=..=.JQ..`...m..<........d9...[\|/q...q<...X.W..T......c.O.[....FG...~...........d.uI7C.tX...Q.0...m....-..4.........GsB\|6U`1.#.6Zk...C.YN.kA;.G.`.U.....j.._....qh_..S...(~.m,K..6.....u....M.F.R.B..x..#3.....v....,`.r..[.........).+./.......I.`..O.....3.......>....@R..,......uI#T}n>..t.e.kT.w....L..DL....MR...{..u.3.5.N}.#q.S.d..9r.P2...T..s...%j.y....f..[.,.W.1.)`.,%...K.[...-\....f......B..{.1.?.5....^....P.GK...7d.&...!.9R(.P...O'....i/`@.n,.hX.fh..S.;V..{8..Z/s.....,x........`F.&P .8O7.[_........ .d..D.g./....U..i..[..l.".r..m.... .#....d....?]~....vJA_.....3.p........N.q..i.d..9:.`...@....7....6..5...ql.K...1}..9.R%.5.......i.......Qj.I......i..x.r.<.<.....#.."..f.s..pQa ./.......0....{..d&.(=...Bm..3?(.._.].H..n{......#.g..QV.k.vQ].~.....qV.*..f..$..A!OG..f.@&..9.....6O..#n~.\|.Qt&....

C:\Users\user\AppData\Local\Temp\Silk

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	55296
Entropy (8bit):	6.101388703970886
Encrypted:	false
SSDEEP:	1536:aIKQ8SoXTqgWVrZ+Int3SdFc9vtmgMbFuyO1MBNX:HXwT5MAg0FuyOKBNX
MD5:	5E231CB9FF4A4F93067AF99469B172BF
SHA1:	89D5C83F6FAD26F0AB5041FB294AAB23CE0AE40A
SHA-256:	568F7EA9DF5107ADD4311E4852455D9B8DF3D6461BD49634519E30564B87D14A
SHA-512:	AD5827ADD37168A53B95DED664443ABFCFE21D5887DC1F09D4E8634F904BB75DC09EFACCA9F2A4F51152F48435E9453A12656849B77DD5123E6CE0381AAEF849
Malicious:	false
Preview:	D$ .L$$h....P.F.PQ.t$.....I..t$...G..YWS......u .E..u............Qh.....u.....I._^[..]...U..QQSVW.}...gL.W....a.....hL......9}.u23.9............E.P....I.VW.u..u.V..........I......u....`...E....tR..$hL...............t<...t7...t2...t-3.9p.t&.E.P....I..$hL..M.V.3.u.....u.V...p..E....E.........Q.u.j{W....I._^[..]...U..SVW.u...gL....-`.....hL..u.....>...uC.v....._.......tA..$hL.....1V......F..t.j.Wh.....3....I............V.v.j+.u.....I._^[]...U......\...SVW.u...gL.._...u..D$..D$HPV....I..t$L.D$..t$LP......T$.....hL.......D$8..........$hL......................L$PQ.L$D.D$.Qh....3.P.\|$$....I.WWj.V....I..D$D........H.D$<h.....D$\PWV....I.;\|$<}+.$hL..............D$Xu.h..K...h..K.P..c..YY.D$XPj.h.....t$.....I..D$.P.D$XPh.....t$.....I..t$..t$.h.....t$.....I.G;\|$D..l....t$..t$Dh.....t$.....I.V....I.3..L$.3.F.\|$..\|$ .t$$.....h..K..L$,.t$(.\$...N..3.D$.C.prL.SP.D$0..P..r...L$(..P...L$......L$...L$(h..K..\$(.<N..S.D$...P.D$0P.r...L$(.P...D$XP.L$..u...h,.K..L$,..N..S.D$...P.D$0P.`r...L$(.j

C:\Users\user\AppData\Local\Temp\Stadium

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	41984
Entropy (8bit):	7.449207061563899
Encrypted:	false
SSDEEP:	768:Mrafd0maNBZikj0kkuhsRqI5o+oyyxVxCaw2F8aP6VOHQznzp8G7bJu1UY3dLi2n:MraF0Hikj06LDykFIcizp97bA3EKNcO
MD5:	5B831D959D2BAE2A472BEEC42C76FBFA
SHA1:	34506C2726108509B45A1E5F4029AC5B009B0BEF
SHA-256:	AB6208142AF3D520951D8159588B46642E982D4BEABF78DC833A1EB1C0039452
SHA-512:	B0BA1E6C4460DC75C0F7A1C435B6453BEA2E755327FB1770B6BAF4F9AE1498E8DDB2099801C1630318AFD50C738506C747E052A75952E6ADF335A354C9AA337F
Malicious:	false
Preview:	.a.r.i.e.s.../.".S.t.r.u.c.t.". .s.t.a.t.e.m.e.n.t. .h.a.s. .n.o. .m.a.t.c.h.i.n.g. .".E.n.d.S.t.r.u.c.t."...H.U.n.a.b.l.e. .t.o. .o.p.e.n. .f.i.l.e.,. .t.h.e. .m.a.x.i.m.u.m. .n.u.m.b.e.r. .o.f. .o.p.e.n. .f.i.l.e.s. .h.a.s. .b.e.e.n. .e.x.c.e.e.d.e.d...K.".C.o.n.t.i.n.u.e.L.o.o.p.". .s.t.a.t.e.m.e.n.t. .w.i.t.h. .n.o. .m.a.t.c.h.i.n.g. .".W.h.i.l.e.".,. .".D.o.". .o.r. .".F.o.r.". .s.t.a.t.e.m.e.n.t...0.I.n.c.o.r.r.e.c.t. .n.u.m.b.e.r. .o.f. .p.a.r.a.m.e.t.e.r.s. .i.n. .f.u.n.c.t.i.o.n. .c.a.l.l...'.".R.e.D.i.m.". .u.s.e.d. .w.i.t.h.o.u.t. .a.n. .a.r.r.a.y. .v.a.r.i.a.b.l.e...>.I.l.l.e.g.a.l. .t.e.x.t. .a.t. .t.h.e. .e.n.d. .o.f. .s.t.a.t.e.m.e.n.t. .(.o.n.e. .s.t.a.t.e.m.e.n.t. .p.e.r. .l.i.n.e.)...1.".I.f.". .s.t.a.t.e.m.e.n.t. .h.a.s. .n.o. .m.a.t.c.h.i.n.g. .".E.n.d.I.f.". .s.t.a.t.e.m.e.n.t...1.".E.l.s.e.". .s.t.a.t.e.m.e.n.t. .w.i.t.h. .n.o. .m.a.t.c.h.i.n.g. .".I.f.". .s.t.a.t.e.m.e.n.t...2.".E.n.d.I.f.". .s.t.a.t.e.m.e.n.t. .w.i.t.h. .n.o. .m.a.t.c.h.i.n.g. .".I.f.". .s.t.a.t

C:\Users\user\AppData\Local\Temp\Stands

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	6.428731813042913
Encrypted:	false
SSDEEP:	192:ZzipamOEoh8uI5HIpmKaS7HXj8S0NOWpmqoVezg5IIvkFFAXsJEdNmTl4FzgG9:wYaPuMHIpmikS0NOsHuezu1sJM1zB
MD5:	373985375BDB5C1DAEEFC39AE0937FA1
SHA1:	E2EF52BAAA03535B0E2581A301108310C74BDDCE
SHA-256:	2E9DD9DC42674125BF79455D4FF86C1223A36DD2BB066461E5C930EFB98B63BF
SHA-512:	E914A3FA20DBA64DE594650CB4DAC4C4E481993049C6C495034FBAB29D86BF612E2B68AA50762EB334027B7FF1A59994AC63695256D67119C5CE0821F7FBE201
Malicious:	false
Preview:	...<:L.......@:L.......D:L....H:L..)I...T:L.'RH...X:L.......\:L.......`:L.......d:L.......h:L....l:L..)I...x:L..RH...\|:L........:L........:L........:L........:L.....:L..)I....:L..SH....:L........:L........:L........:L........:L.....:L..)I....:L.mTH....:L........:L........:L........:L........:L.....:L..I....:L.WUH....:L........:L........:L........:L........:L.....:L.$I....;L..UH....;L........;L........;L........;L........;L.... ;L.8I...,;L..VH...0;L.......4;L.......8;L.......<;L.......@;L....D;L.TI...P;L.{WH...T;L.......X;L.......\;L.......`;L.......d;L....h;L.lI...t;L.&XH...x;L.......\|;L........;L........;L........;L.....;L..I....;L..XH....;L........;L........;L........;L........;L.....;L..I....;L.6YH....;L........;L........;L........;L........;L.....;L..I....;L..YH....;L........;L........;L........;L........;L.....;L..I....<L..[H....<L........<L........<L........<L........<L.....<L..I...(<L.i]H...,<L.......0<L.......4<L.......8<L.......<<L....@<L..+I...L<L..]H...P<L.......T<

C:\Users\user\AppData\Local\Temp\Success

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	67584
Entropy (8bit):	6.5305894484434015
Encrypted:	false
SSDEEP:	1536:tQ1/9klkp5VLGEDuaiC7v8xV96AE11yHxpfYAz7FbkdHIx1d:S1/Qkp5IKuLuv8xVTOAxpg6pbsHY1d
MD5:	6B5D1DCA30A9179B5ABCAA23E9CF7157
SHA1:	644BBDBB17DDBB7D71C508EB98549321AB0E166F
SHA-256:	5931320AA39B9F4017914561C27F24C5E4927826D1270F250160C1BDF26E3AA5
SHA-512:	95F57E0EF34F8962F8CA5ACC60E1C933B52A2807FC9EB5907D5196849BB6CE771261FE037DDA53F505125196AE18493E1D9C78486D205E800AFF300497447CCE
Malicious:	false
Preview:	..u..E.P.M......~..u...j..A\...u.M..Y...E...P.E.PV.b....M.....\...M.......K.u.M..\|Y...E...P.E.P.E.PV.u........M......[....t.......u..u..E...P........M..[...M.....M......._^[..]...U...L.U.VW.}..R..M.jH.....^.u....f9p..u.u..D......@.Pjp.............u..M..X....73.}...E.G........@.f;E.u.B..f;E.u.J..j@_f;.}.u...t...x.F..}..E.VPW.E.M.M.M.P.E...........y.....Q......U.j@^...f9p.u.I.....jGX...L..P..t...u.....}...E.uQf.E.M.3.j.f.E...s...M.......M.E.E.P..........u..E..WPj..O....M.E..d....V....}..uP...M.j4....s.....E.4..E.P.M....P...(s...M...Z...u..E.P.u..E..WPj..o.........}.........M..o....M...E..A..E..A..E..A..M..E....W...u..u...\|.I....rL..u....P..E...~L....M.f.E.3.j.f.E...r...E..M.E.E.P..........u..E..WPj..S....M.E..h....U.M......u.........t?...M.j4....r...M.......M..u....#r...E...P.u..E.WPj..u....E..M...Y...E...yl.U.3..j....Zf9P.t1.....E.....@.f;E.u.A..f;E.u.I..~.j.Zf;.u....B.....3.Wh.....H..........Wh....H....8....3..M.....M...q...._^..]...U..V

C:\Users\user\AppData\Local\Temp\Textile

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	6.463566611894195
Encrypted:	false
SSDEEP:	768:R6Yk4iARefFilP4Bwh1QwTMvcVPDqdU7SIc/jnsRf4rJsb25v0hL4G+CAiwo8Z8N:jpAfkF/bIQ2dU7SP/jnsF4rJsx9RZqen
MD5:	FF117EE701CD0CC70F5AA5EE105E7FC2
SHA1:	14C5AE8946A164DB95FA6F5D5C9056CAFD3BC00E
SHA-256:	826254D57A974632F6D4FBE15143428E1E8B2C994B2713D2574B8521020CB4CC
SHA-512:	B3877F279FE564331AC3ADBB0243849C2E273A907C0811F21242386C56DFEDD2337D7346009B8653C65C587BCCCB086497F27661794804661F5DB16AFE871F6F
Malicious:	false
Preview:	......Q..........E..t .M..t....QPV.........u..........u..;v..f..0..cv..j..d.........t........H..J..H..J..@..B.....3...Fv.......G..F..7v...3........s.........v...}.....v...}.............v...M.B..E............E.P.E.PV.:`.......w...V..M....f.x..uJ.8.uE.D..f.x..u..]......v.....U..v...U..H.......F........@.Pjr.W....>w...U..H.......F........@.Ph...../.....w...M.j.jv.......w....`....E.P.[....e......v....@..M.Ph.........ps......D.R.@.R.@...D.R.@...D...D...D.. D.. D.. D..A..P0..x....`....y0..t.Q.M....`....e.....:x...e.....nx...u...R.E....w...u.Q...*....w....\.........H..E....sw....\....y....cw...u...R.....Sw...u..E...PR......?w..j..E...PR....,w..j..E...PR.....w..j..E...PR..c....w..j..E...PR.$.....v...z..v..G.f9H.u%.8 u ......D.....0..0...H..E.A...v..j.ji.......v...E...PR.....v....h....^....v..j.h.......R....{v...u..E.j.P.E..PS../...K..E...f.x....k\|....@...Pjr......X\|....rL..p..iy......DtL..@tL......h..C........._y......sz.......y...y......DtL..@tL......h..C..U.

C:\Users\user\AppData\Local\Temp\Tolerance

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	5.696145415110408
Encrypted:	false
SSDEEP:	192:rhFGUS99p27x5yAMOUorM0pYPtlernjuPzQ0nMi49:rhFTqU7x5MOUyM0pNDj21na9
MD5:	F2D4E68D23921408E8C54C8035114F8F
SHA1:	5E4CA9AFDD5FDBAF7B6776BF29FDA61F45D015AB
SHA-256:	90E63DA6B9ADC3FE85ADE996E6E7E9A85496377E99B68B94AC779A376C1754D9
SHA-512:	2EED0CD7FB7C83E8340032E1B324AFC1C4D685F547A270344C2E295F3634CBE0D7E7282B20ABA5BF7BE21AA3502CC44C284BB7A0F0D3C5CB442D622FD8352964
Malicious:	false
Preview:	.................................................................~...p..............:...H...f...Z...N...D...T...`...l...x...............8...,... ...........................................................................................2...<...L...^...n...\|..........................................@...T...b...v.......................................*...<...H...:...r.......................................(...8...H...Z...p.......................................,...B...T...f...x............................... ...>...`...z...............................(...:...P...`...l...........................................,...8...L...d...z.......................&...............................x...`...t...f.......R...................................2...D...N...Z...f...v.......................................$...4...F...R...b...\|.......................^...................0..........................&...'...........%...)....... .......M................................................................

C:\Users\user\AppData\Local\Temp\Wright

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	176128
Entropy (8bit):	7.998889553327324
Encrypted:	true
SSDEEP:	3072:YznTb9/1w+b5mt4Y9H18V8X9eL54mQz6JpLpae/5piyoe5W:AjBb5mtZ186XMLimQu9aK55W
MD5:	C51B4BD93615040665B5A2FD0EE12A2B
SHA1:	B88E06D7B5EC2710669AF73F4BEF2789241C1B88
SHA-256:	890299C53891428A3AE23628CBA0E711E5C408F40A9DF4AD6C06CA882FFFD453
SHA-512:	2DD7A51BCA31BCAF30C07EBEAAA2A7F798843C3B149C1676696991CCB43828BDFD89E5CF4B2514B43EA8BE5AB051125B78B05A5D124FAA5BDA75EE7B2321097D
Malicious:	true
Preview:	,....... ...s=.p...9.f.s...Z..ct..&......h8....R..e..1ILa9...pp'%....N.S......2.j....C....N.7y.........>...'f..;.v~.....}.W......6g..o...HZ.@8.^qFX..nn..,..f...CV.k.7.f....Z.....Am....Y.4..Z...RT.q...E...I.^....~.dQP.2wG.7HG....f,..].iz.....9..>!.nS.8Ly.szVp.4...1..w.....k+.)Pp.r.)..42Ykn.[..F...g&ZXo.b.{......-..[.. ./..D8A..^..q...o..Sj.].B:...es&.B..9.....T...e.8.?.Z.[W../.j...@.....e"..H....Z..%...E..?!.e..x...{..G......w..>H3..2Y..3.~,.c C-&9.......4Z%...".-..?. ..q;.i....,-'D.3.`u..Bt.Q..5Z'..=...G..WK....E&?....nR.,........r.kwF<x..h=...3f..+..w.......u;.......'.^ j..l~.?.x...0.....e.qU.i.L.}e.....t...'.9b.g....zh.Y-PV......4b>.abR....%S..K..#Z....u....[n].b....i..Q.>...,e.U{.T8o....U.r..G..z]....L.......m.h.<.>XT....m..\|.I...1W.........uj .&.F!...X9....~.....3.}.e.~!.`....j...Q....s..f....k..(......).k;^X.b.-.6.B....w....?..0.QP~...5......y..i..p...j.AC{M.k.x.......&.y.:...{...<i.....".)./..t...V......O.}]...K......y...

C:\Users\user\AppData\Local\Temp\nsb6504.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	2851237
Entropy (8bit):	7.7670046225977964
Encrypted:	false
SSDEEP:	49152:fU/L21jiKzl/uottM3ozttK2HmwNMPgM6Oua4EP2FjIdPbSdoHei8KMzL:fUz212KzPtx3XHVsFdPJd1eixMzL
MD5:	34F6EF5FF4355B400EFEBFD0E367A1C6
SHA1:	948D80525D510FA654B3B418866B140A5084180E
SHA-256:	C357A25B576D7400187755EB828673F86358DA31B51793D30C568D3DFF603AFB
SHA-512:	57842B27497E3FC1C5C808EF6312706AB1E74F8E359398354B476AA5037997622E24915984ECCE5F680B435692AF2E850906C4DF70FE32496BD9F30D7C42F544
Malicious:	false
Preview:	<4......,.......,.......D........#.......3......<4......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.996343811013664
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'418'898 bytes
MD5:	814ff8b10d8641b03fcf1e9efc1005bf
SHA1:	25cb52ef822cf0077a11278d936569ed5f5d92d4
SHA256:	976137409e5d45839870a834b4b06bd46495a39d216bb0f31f1f0370fe1b5d94
SHA512:	4426e9d8f799cdd7b05fa7c40a4bb62d0b95e95a280d85dd7aaf808aabdd4752fd2621e6d073cd881c0176ef2b72a270a79d9a45f18da357d75c1e7dc084bc12
SSDEEP:	49152:Qg2wVptJl9PSgu4zNdH4aZI1vq/j0gBVI2azDaKIk5sJd8FB7TVysFP:NXd9P+4ZdHjIS0gBSDXInr8L7xFP
TLSH:	6AB5334E02E326B6EE5302326D240F167BC99F132077F70ED753368A605A997617E399
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L......`.................f...*.....

File Icon


Icon Hash:	60e098b8b892b2b0

Static PE Info

General

Entrypoint:	0x4035d8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60FC91EE [Sat Jul 24 22:19:26 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c05041e01f84e1ccca9c4451f3b6a383

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A230h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080C8h]
call dword ptr [004080CCh]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042A26Ch], eax
je 00007F7E0CB12DC3h
push ebx
call 00007F7E0CB160C9h
cmp eax, ebx
je 00007F7E0CB12DB9h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F7E0CB16043h
push esi
call dword ptr [00408154h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F7E0CB12D9Ch
push 0000000Bh
call 00007F7E0CB1609Ch
push 00000009h
call 00007F7E0CB16095h
push 00000007h
mov dword ptr [0042A264h], eax
call 00007F7E0CB16089h
cmp eax, ebx
je 00007F7E0CB12DC1h
push 0000001Eh
call eax
test eax, eax
je 00007F7E0CB12DB9h
or byte ptr [0042A26Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408298h]
mov dword ptr [0042A338h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 00421708h
call dword ptr [0040818Ch]
push 0040A384h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b000	0x4e88	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6572	0x6600	869e1d11bbf88d92521c022fa6f3d4f0	False	0.6623008578431373	data	6.453919385955138	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1398	0x1400	79e286249499b713a2ddbee33baa50da	False	0.449609375	data	5.1367175827370986	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20378	0x600	b6d02c867f7bfbcf68de2cfeea94fd73	False	0.5078125	data	4.096809083627214	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3b000	0x4e88	0x5000	d532dfd53e9ce17a7f111164b80425d7	False	0.6568359375	data	6.503943451432764	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3b1f0	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.4458909682668836
RT_ICON	0x3d858	0x1bd2	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0015445099691098
RT_ICON	0x3f430	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6968085106382979
RT_DIALOG	0x3f898	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3f998	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3fab8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3fb18	0x30	data	English	United States	0.875
RT_MANIFEST	0x3fb48	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, SetWindowPos, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersion, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, ExitProcess, CopyFileW, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 17, 2024 17:58:06.806751966 CEST	58086	53	192.168.2.4	1.1.1.1
Jun 17, 2024 17:58:06.823071003 CEST	53	58086	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 17, 2024 17:58:06.806751966 CEST	192.168.2.4	1.1.1.1	0xdad3	Standard query (0)	JzyWtlVaDZyw.JzyWtlVaDZyw	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 17, 2024 17:58:06.823071003 CEST	1.1.1.1	192.168.2.4	0xdad3	Name error (3)	JzyWtlVaDZyw.JzyWtlVaDZyw	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	11:58:00
Start date:	17/06/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	2'418'898 bytes
MD5 hash:	814FF8B10D8641B03FCF1E9EFC1005BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:58:01
Start date:	17/06/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:58:01
Start date:	17/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:58:03
Start date:	17/06/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x440000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:58:03
Start date:	17/06/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa.exe opssvc.exe"
Imagebase:	0xb40000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:58:04
Start date:	17/06/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x440000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:58:04
Start date:	17/06/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Imagebase:	0xb40000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:58:04
Start date:	17/06/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 812297
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:58:04
Start date:	17/06/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "IndieBeachesHonIo" Janet
Imagebase:	0x30000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:58:04
Start date:	17/06/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b Praise + Bee + Random + Acoustic + Predict + Shannon + Extreme + Gnome + Sandra + Wright + Ready + Bb + Dot + Almost + Do + Continental 812297\g
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:58:04
Start date:	17/06/2024
Path:	C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif
Wow64 process (32bit):	true
Commandline:	812297\Shopzilla.pif 812297\g
Imagebase:	0xba0000
File size:	937'776 bytes
MD5 hash:	B06E67F9767E5023892D9698703AD098
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	11:58:05
Start date:	17/06/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 15
Imagebase:	0x920000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:58:05
Start date:	17/06/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST
Imagebase:	0x400000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:58:06
Start date:	17/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:58:07
Start date:	17/06/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js"
Imagebase:	0x7ff7312a0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:58:07
Start date:	17/06/2024
Path:	C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif" "C:\Users\user\AppData\Local\TechMind360 Innovations Co\L"
Imagebase:	0x690000
File size:	937'776 bytes
MD5 hash:	B06E67F9767E5023892D9698703AD098
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\TechMind360 Innovations Co\L

C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js

C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif

C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif

C:\Users\user\AppData\Local\Temp\812297\g

C:\Users\user\AppData\Local\Temp\Acoustic

C:\Users\user\AppData\Local\Temp\After

C:\Users\user\AppData\Local\Temp\Almost

C:\Users\user\AppData\Local\Temp\Anticipated

C:\Users\user\AppData\Local\Temp\Anyone

C:\Users\user\AppData\Local\Temp\Anyone.cmd

C:\Users\user\AppData\Local\Temp\Bb

C:\Users\user\AppData\Local\Temp\Bee

C:\Users\user\AppData\Local\Temp\Blessed

C:\Users\user\AppData\Local\Temp\Cargo

C:\Users\user\AppData\Local\Temp\Chase

C:\Users\user\AppData\Local\Temp\Commercial

Windows Analysis Report
file.exe