Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1458478
MD5:814ff8b10d8641b03fcf1e9efc1005bf
SHA1:25cb52ef822cf0077a11278d936569ed5f5d92d4
SHA256:976137409e5d45839870a834b4b06bd46495a39d216bb0f31f1f0370fe1b5d94
Tags:exe
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Search for Antivirus process
AI detected suspicious sample
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Wscript called in batch mode (surpress errors)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 814FF8B10D8641B03FCF1E9EFC1005BF)
    • cmd.exe (PID: 7472 cmdline: "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7560 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7568 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 7608 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7616 cmdline: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7652 cmdline: cmd /c md 812297 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 7668 cmdline: findstr /V "IndieBeachesHonIo" Janet MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7684 cmdline: cmd /c copy /b Praise + Bee + Random + Acoustic + Predict + Shannon + Extreme + Gnome + Sandra + Wright + Ready + Bb + Dot + Almost + Do + Continental 812297\g MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Shopzilla.pif (PID: 7700 cmdline: 812297\Shopzilla.pif 812297\g MD5: B06E67F9767E5023892D9698703AD098)
        • schtasks.exe (PID: 7740 cmdline: schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
          • conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 7716 cmdline: timeout 15 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • wscript.exe (PID: 7792 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • MindTechPro360.pif (PID: 7836 cmdline: "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif" "C:\Users\user\AppData\Local\TechMind360 Innovations Co\L" MD5: B06E67F9767E5023892D9698703AD098)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 812297\Shopzilla.pif 812297\g, ParentImage: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif, ParentProcessId: 7700, ParentProcessName: Shopzilla.pif, ProcessCommandLine: schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST, ProcessId: 7740, ProcessName: schtasks.exe
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js", ProcessId: 7792, ProcessName: wscript.exe
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: 812297\Shopzilla.pif 812297\g, CommandLine: 812297\Shopzilla.pif 812297\g, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7472, ParentProcessName: cmd.exe, ProcessCommandLine: 812297\Shopzilla.pif 812297\g, ProcessId: 7700, ProcessName: Shopzilla.pif
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 812297\Shopzilla.pif 812297\g, ParentImage: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif, ParentProcessId: 7700, ParentProcessName: Shopzilla.pif, ProcessCommandLine: schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST, ProcessId: 7740, ProcessName: schtasks.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7432, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd, ProcessId: 7472, ProcessName: cmd.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 812297\Shopzilla.pif 812297\g, ParentImage: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif, ParentProcessId: 7700, ParentProcessName: Shopzilla.pif, ProcessCommandLine: schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST, ProcessId: 7740, ProcessName: schtasks.exe
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js", ProcessId: 7792, ProcessName: wscript.exe

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Process startedAuthor: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7472, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 7616, ProcessName: findstr.exe
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: file.exeJoe Sandbox ML: detected
Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C4E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402902 FindFirstFileW,0_2_00402902
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040689A FindFirstFileW,FindClose,0_2_0040689A
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C047B7 GetFileAttributesW,FindFirstFileW,FindClose,10_2_00C047B7
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C03B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00C03B4F
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C03E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00C03E72
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C0C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_00C0C16C
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C0CB81 FindFirstFileW,FindClose,10_2_00C0CB81
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C0CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_00C0CC0C
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C0F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00C0F445
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C0F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00C0F5A2
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C0F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_00C0F8A3
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006F47B7 GetFileAttributesW,FindFirstFileW,FindClose,15_2_006F47B7
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006F3E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_006F3E72
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006FC16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,15_2_006FC16C
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006FCB81 FindFirstFileW,FindClose,15_2_006FCB81
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006FCC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,15_2_006FCC0C
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006FF445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_006FF445
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006FF5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_006FF5A2
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006FF8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,15_2_006FF8A3
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006F3B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_006F3B4F
Source: unknownDNS traffic detected: query: JzyWtlVaDZyw.JzyWtlVaDZyw replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C1279E InternetReadFile,InternetQueryDataAvailable,InternetReadFile,10_2_00C1279E
Source: global trafficDNS traffic detected: DNS query: JzyWtlVaDZyw.JzyWtlVaDZyw
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.drString found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.drString found in binary or memory: http://crl.globalsign.net/root.crl0
Source: file.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.drString found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000000.1737134126.0000000000C68000.00000002.00000001.01000000.00000005.sdmp, MindTechPro360.pif, 0000000F.00000002.2941852709.0000000000758000.00000002.00000001.01000000.00000008.sdmp, Halloween.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000003.1746303015.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Shopzilla.pif, 0000000A.00000002.2943481145.0000000003B16000.00000004.00000020.00020000.00000000.sdmp, Essential.0.dr, nsb6504.tmp.0.dr, Shopzilla.pif.1.dr, MindTechPro360.pif.10.drString found in binary or memory: https://www.globalsign.com/repository/03
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004056E3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004056E3
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C14614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,10_2_00C14614
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_00704614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,15_2_00704614
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C14416 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,10_2_00C14416
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C00374 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,10_2_00C00374
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C2CEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,10_2_00C2CEDF
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_0071CEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,15_2_0071CEDF

Spam, unwanted Advertisements and Ransom Demands

barindex
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Acoustic entropy: 7.99903860979Jump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Do entropy: 7.99828405938Jump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Gnome entropy: 7.99307602247Jump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Ready entropy: 7.99833337336Jump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Predict entropy: 7.99792045824Jump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Bee entropy: 7.99614213934Jump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Sandra entropy: 7.9989156064Jump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Praise entropy: 7.99907507657Jump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Almost entropy: 7.99894390583Jump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Random entropy: 7.99621260001Jump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Wright entropy: 7.99888955333Jump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Shannon entropy: 7.99469915151Jump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Bb entropy: 7.99924202624Jump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Extreme entropy: 7.999072405Jump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Dot entropy: 7.99842475993Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\812297\g entropy: 7.99990971854Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifFile created: C:\Users\user\AppData\Local\TechMind360 Innovations Co\L entropy: 7.99990971854Jump to dropped file

System Summary

barindex
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js"
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C040C1: CreateFileW,DeviceIoControl,CloseHandle,10_2_00C040C1
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BF8D11 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,10_2_00BF8D11
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004035D8
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C055E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,10_2_00C055E5
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006F55E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,15_2_006F55E5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406C5B0_2_00406C5B
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BAB02010_2_00BAB020
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BA94E010_2_00BA94E0
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BA9C8010_2_00BA9C80
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C281C810_2_00C281C8
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BC232510_2_00BC2325
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BD643210_2_00BD6432
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BD258E10_2_00BD258E
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BAE6F010_2_00BAE6F0
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BC275A10_2_00BC275A
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BD88EF10_2_00BD88EF
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C2080210_2_00C20802
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BD69A410_2_00BD69A4
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BFEB9510_2_00BFEB95
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BB0BE010_2_00BB0BE0
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BCCC8110_2_00BCCC81
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C08CB110_2_00C08CB1
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C20C7F10_2_00C20C7F
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BD6F1610_2_00BD6F16
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BC32E910_2_00BC32E9
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BCF33910_2_00BCF339
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BBD45710_2_00BBD457
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BC15E410_2_00BC15E4
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BBF57E10_2_00BBF57E
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BAF6A010_2_00BAF6A0
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BA166310_2_00BA1663
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BC77F310_2_00BC77F3
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BC1AD810_2_00BC1AD8
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BCDAD510_2_00BCDAD5
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BD9C1510_2_00BD9C15
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BBDD1410_2_00BBDD14
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BC1EF010_2_00BC1EF0
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BCBF0610_2_00BCBF06
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_0069B02015_2_0069B020
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006994E015_2_006994E0
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_00699C8015_2_00699C80
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_007181C815_2_007181C8
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006B232515_2_006B2325
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006C643215_2_006C6432
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006C258E15_2_006C258E
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_0069E6F015_2_0069E6F0
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006B275A15_2_006B275A
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_0071080215_2_00710802
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006C88EF15_2_006C88EF
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006C69A415_2_006C69A4
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006A0BE015_2_006A0BE0
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006EEB9515_2_006EEB95
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_00710C7F15_2_00710C7F
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006F8CB115_2_006F8CB1
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006BCC8115_2_006BCC81
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006C6F1615_2_006C6F16
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006B32E915_2_006B32E9
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006BF33915_2_006BF339
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006AD45715_2_006AD457
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006AF57E15_2_006AF57E
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006B15E415_2_006B15E4
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_0069166315_2_00691663
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_0069F6A015_2_0069F6A0
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006B77F315_2_006B77F3
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006B1AD815_2_006B1AD8
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006BDAD515_2_006BDAD5
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006C9C1515_2_006C9C15
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006ADD1415_2_006ADD14
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006B1EF015_2_006B1EF0
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006BBF0615_2_006BBF06
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif 8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif 8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: String function: 00BC0C42 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: String function: 00BB1A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: String function: 00BC8A60 appears 42 times
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: String function: 006B8A60 appears 42 times
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: String function: 006B0C42 appears 70 times
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: String function: 006A1A36 appears 34 times
Source: file.exe, 00000000.00000002.1901869005.000000000292E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs file.exe
Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal84.rans.evad.winEXE@28/49@1/0
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C0A51A GetLastError,FormatMessageW,10_2_00C0A51A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004035D8
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BF8BCC AdjustTokenPrivileges,CloseHandle,10_2_00BF8BCC
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00BF917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00BF917C
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006E8BCC AdjustTokenPrivileges,CloseHandle,15_2_006E8BCC
Source: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pifCode function: 15_2_006E917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,15_2_006E917C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404983 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404983
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C03FB5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,10_2_00C03FB5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004021A2 CoCreateInstance,0_2_004021A2
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifCode function: 10_2_00C042AA __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,10_2_00C042AA
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifFile created: C:\Users\user\AppData\Local\TechMind360 Innovations CoJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\nsb6503.tmpJump to behavior
Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 812297
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "IndieBeachesHonIo" Janet
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Praise + Bee + Random + Acoustic + Predict + Shannon + Extreme + Gnome + Sandra + Wright + Ready + Bb + Dot + Almost + Do + Continental 812297\g
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pif 812297\Shopzilla.pif 812297\g
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 15
Source: C:\Users\user\AppData\Local\Temp\812297\Shopzilla.pifProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif "C:\Users\user\AppData\Local\TechMind360 Innovations Co\MindTechPro360.pif" "C:\Users\user\AppData\Local\TechMind360 Innovations Co\L"
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmdJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess cre