Windows Analysis Report
External24.exe

Overview

General Information

Sample name: External24.exe
Analysis ID: 1464408
MD5: e8af10713a9e8ee414a1a0865c2379f2
SHA1: 12193121a75325ca4a32e7260d82e6d8c85fe0d4
SHA256: acad873da34aab461e8a7b87dd2c6d98c3b2b187f5ca868415bac26af1516da5
Tags: exe
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Snort IDS alert for network traffic
Yara detected RisePro Stealer
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Contains functionality to inject threads in other processes
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files with a suspicious file extension
Exclude list of file types from scheduled, custom, and real-time scanning
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies Group Policy settings
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Wscript called in batch mode (surpress errors)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: External24.exe ReversingLabs: Detection: 18%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.6% probability
Machine Learning detection for sample
Source: External24.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C16B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree, 21_2_00C16B00
Uses 32bit PE files
Source: External24.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:55334 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:55335 version: TLS 1.2
Source: External24.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Change of critical system settings
barindex
Adds extensions / path to Windows Defender exclusion list (Registry)
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Code function: 0_2_00406301 FindFirstFileW,FindClose, 0_2_00406301
Source: C:\Users\user\Desktop\External24.exe Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406CC7
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_006647B7 GetFileAttributesW,FindFirstFileW,FindClose, 15_2_006647B7
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0066F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_0066F8A3
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00663E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_00663E72
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0066C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_0066C16C
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0066CB81 FindFirstFileW,FindClose, 15_2_0066CB81
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0066CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 15_2_0066CC0C
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0066F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_0066F445
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0066F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_0066F5A2
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00663B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_00663B4F
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006CC16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 21_2_006CC16C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006C47B7 GetFileAttributesW,FindFirstFileW,FindClose, 21_2_006C47B7
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006CCB81 FindFirstFileW,FindClose, 21_2_006CCB81
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006CCC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 21_2_006CCC0C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006CF445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 21_2_006CF445
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006CF5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 21_2_006CF5A2
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006CF8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 21_2_006CF8A3
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006C3B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 21_2_006C3B4F
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006C3E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 21_2_006C3E72
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C16000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose, 21_2_00C16000
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C36770 CreateDirectoryA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 21_2_00C36770
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00B81F9C FindClose,FindFirstFileExW,GetLastError, 21_2_00B81F9C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BE3F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA, 21_2_00BE3F40
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00B82022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 21_2_00B82022

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:55333 -> 3.36.173.8:50500
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 3.36.173.8:50500 -> 192.168.2.4:55333
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 3.36.173.8:50500 -> 192.168.2.4:55333
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:55333 -> 3.36.173.8:50500
Source: Traffic Snort IDS: 2049660 ET TROJAN RisePro CnC Activity (Outbound) 3.36.173.8:50500 -> 192.168.2.4:55333
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 3.36.173.8:50500 -> 192.168.2.4:55336
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:55333 -> 3.36.173.8:50500
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 172.67.75.166 172.67.75.166
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0067279E InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 15_2_0067279E
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic DNS traffic detected: DNS query: CcUPthUoPgCKIth.CcUPthUoPgCKIth
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: db-ip.com
Source: External24.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: External24.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: External24.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: External24.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: External24.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: External24.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: External24.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: External24.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: External24.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: External24.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: External24.exe String found in binary or memory: http://ocsp.digicert.com0
Source: External24.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: External24.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: External24.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 0000000A.00000000.1667514341.0000000000728000.00000002.00000001.01000000.00000005.sdmp, PixelFlow.pif, 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmp, Lawyers.pif, 00000015.00000000.2875071248.0000000000728000.00000002.00000001.01000000.00000005.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Ivory.0.dr String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: External24.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: Lawyers.pif, Lawyers.pif, 00000015.00000002.3501008072.0000000000B50000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33a
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33tQ0
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33j
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Lawyers.pif, Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501287006.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501287006.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501596780.0000000000F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: Lawyers.pif, 00000015.00000003.3349195349.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501596780.0000000000F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: Lawyers.pif, 00000015.00000002.3501008072.0000000000B50000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/t
Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000ED0000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501287006.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
Source: Lawyers.pif, 00000015.00000003.3349195349.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501596780.0000000000F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
Source: D87fZN3R3jFeplaces.sqlite.21.dr String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.21.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.21.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: Lawyers.pif, 00000015.00000003.3018791915.000000000616A000.00000004.00000020.00020000.00000000.sdmp, lsqPckitCOdaHistory.21.dr, ZriO6tn8Siv1History.21.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: lsqPckitCOdaHistory.21.dr, ZriO6tn8Siv1History.21.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Lawyers.pif, 00000015.00000003.3018791915.000000000616A000.00000004.00000020.00020000.00000000.sdmp, lsqPckitCOdaHistory.21.dr, ZriO6tn8Siv1History.21.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: lsqPckitCOdaHistory.21.dr, ZriO6tn8Siv1History.21.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501287006.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, 7yC9aM3nOPMh37Qvw5GmIXM.zip.21.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.21.dr String found in binary or memory: https://t.me/risepro_bot
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot33203
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr String found in binary or memory: https://www.globalsign.com/repository/03
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Lawyers.pif String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.21.dr String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.21.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: D87fZN3R3jFeplaces.sqlite.21.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, History.txt.21.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: Lawyers.pif, 00000015.00000002.3502181741.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018990250.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020594535.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021409514.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3022662035.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020835160.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3017414060.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018332936.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3023598157.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020119374.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3019672520.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020391892.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3017934761.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3022341285.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3017683304.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021852441.0000000006154000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.21.dr, D87fZN3R3jFeplaces.sqlite.21.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/d
Source: D87fZN3R3jFeplaces.sqlite.21.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, History.txt.21.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/allets
Source: Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/e
Source: Lawyers.pif, 00000015.00000002.3502181741.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018990250.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020594535.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021409514.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3022662035.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020835160.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3017414060.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018332936.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3023598157.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020119374.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3019672520.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020391892.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3017934761.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3022341285.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3017683304.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021852441.0000000006154000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.21.dr, D87fZN3R3jFeplaces.sqlite.21.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/refoxm
Source: unknown Network traffic detected: HTTP traffic on port 55334 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55335 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55334
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55335
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:55334 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:55335 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\External24.exe Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004050F9
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00674614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 15_2_00674614
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006D4614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 21_2_006D4614
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00674416 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 15_2_00674416
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C35FF0 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown, 21_2_00C35FF0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\External24.exe Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044D1
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0068CEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 15_2_0068CEDF
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006ECEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 21_2_006ECEDF

Spam, unwanted Advertisements and Ransom Demands
barindex
Writes many files with high entropy
Source: C:\Users\user\Desktop\External24.exe File created: C:\Users\user\AppData\Local\Temp\Appearance entropy: 7.99802716721 Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe File created: C:\Users\user\AppData\Local\Temp\Therefore entropy: 7.99865168987 Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe File created: C:\Users\user\AppData\Local\Temp\Sharon entropy: 7.99552725011 Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe File created: C:\Users\user\AppData\Local\Temp\Anytime entropy: 7.99825278262 Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe File created: C:\Users\user\AppData\Local\Temp\Warming entropy: 7.99906740598 Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe File created: C:\Users\user\AppData\Local\Temp\Inspections entropy: 7.99494180936 Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe File created: C:\Users\user\AppData\Local\Temp\Physical entropy: 7.99885717625 Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe File created: C:\Users\user\AppData\Local\Temp\Helena entropy: 7.99326270642 Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe File created: C:\Users\user\AppData\Local\Temp\Lung entropy: 7.99793600042 Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe File created: C:\Users\user\AppData\Local\Temp\Zoning entropy: 7.99764197142 Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe File created: C:\Users\user\AppData\Local\Temp\Accidents entropy: 7.99887666637 Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe File created: C:\Users\user\AppData\Local\Temp\Latinas entropy: 7.99845945803 Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe File created: C:\Users\user\AppData\Local\Temp\Inflation entropy: 7.99886160045 Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe File created: C:\Users\user\AppData\Local\Temp\Wiley entropy: 7.99864940107 Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe File created: C:\Users\user\AppData\Local\Temp\Cincinnati entropy: 7.99899755257 Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe File created: C:\Users\user\AppData\Local\Temp\Army entropy: 7.99828016887 Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\292668\r entropy: 7.99988284324 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File created: C:\Users\user\AppData\Local\PixelFlow Creations\m entropy: 7.99988284324 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File created: C:\Users\user\AppData\Local\Temp\7yC9aM3nOPMh37Qvw5GmIXM.zip entropy: 7.99792293497 Jump to dropped file

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript called in batch mode (surpress errors)
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js"
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Process Stats: CPU usage > 49%
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_006640C1: CreateFileW,DeviceIoControl,CloseHandle, 15_2_006640C1
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00658D11 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 15_2_00658D11
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\External24.exe Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx, 0_2_004038AF
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_006655E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 15_2_006655E5
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006C55E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 21_2_006C55E5
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File created: C:\Windows\SysWOW64\GroupPolicy\gpt.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File created: C:\Windows\System32\GroupPolicy\Machine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File created: C:\Windows\System32\GroupPolicy\User Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File created: C:\Windows\System32\GroupPolicy\GPT.INI Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\External24.exe Code function: 0_2_0040737E 0_2_0040737E
Source: C:\Users\user\Desktop\External24.exe Code function: 0_2_00406EFE 0_2_00406EFE
Source: C:\Users\user\Desktop\External24.exe Code function: 0_2_004079A2 0_2_004079A2
Source: C:\Users\user\Desktop\External24.exe Code function: 0_2_004049A8 0_2_004049A8
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0060B020 15_2_0060B020
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_006094E0 15_2_006094E0
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00609C80 15_2_00609C80
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_006881C8 15_2_006881C8
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00622325 15_2_00622325
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00636432 15_2_00636432
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0063258E 15_2_0063258E
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0060E6F0 15_2_0060E6F0
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0062275A 15_2_0062275A
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00680802 15_2_00680802
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_006388EF 15_2_006388EF
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_006369A4 15_2_006369A4
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00610BE0 15_2_00610BE0
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0065EB95 15_2_0065EB95
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00680C7F 15_2_00680C7F
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00668CB1 15_2_00668CB1
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0062CC81 15_2_0062CC81
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00636F16 15_2_00636F16
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_006232E9 15_2_006232E9
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0062F339 15_2_0062F339
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0061D457 15_2_0061D457
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0061F57E 15_2_0061F57E
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_006215E4 15_2_006215E4
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00601663 15_2_00601663
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0060F6A0 15_2_0060F6A0
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_006277F3 15_2_006277F3
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0062DAD5 15_2_0062DAD5
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00621AD8 15_2_00621AD8
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00639C15 15_2_00639C15
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0061DD14 15_2_0061DD14
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00621EF0 15_2_00621EF0
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0062BF06 15_2_0062BF06
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006E81C8 21_2_006E81C8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00682325 21_2_00682325
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00696432 21_2_00696432
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_0069258E 21_2_0069258E
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_0066E6F0 21_2_0066E6F0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_0068275A 21_2_0068275A
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006E0802 21_2_006E0802
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006988EF 21_2_006988EF
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006969A4 21_2_006969A4
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00670BE0 21_2_00670BE0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006BEB95 21_2_006BEB95
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006E0C7F 21_2_006E0C7F
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006C8CB1 21_2_006C8CB1
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_0068CC81 21_2_0068CC81
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00696F16 21_2_00696F16
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_0066B020 21_2_0066B020
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006832E9 21_2_006832E9
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_0068F339 21_2_0068F339
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_0067D457 21_2_0067D457
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006694E0 21_2_006694E0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_0067F57E 21_2_0067F57E
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006815E4 21_2_006815E4
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00661663 21_2_00661663
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_0066F6A0 21_2_0066F6A0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006877F3 21_2_006877F3
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00681AD8 21_2_00681AD8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_0068DAD5 21_2_0068DAD5
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00699C15 21_2_00699C15
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00669C80 21_2_00669C80
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_0067DD14 21_2_0067DD14
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00681EF0 21_2_00681EF0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_0068BF06 21_2_0068BF06
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C100A0 21_2_00C100A0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00B9002D 21_2_00B9002D
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C5A2B0 21_2_00C5A2B0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00B5A2C0 21_2_00B5A2C0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BFA200 21_2_00BFA200
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BF6250 21_2_00BF6250
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C0E3C0 21_2_00C0E3C0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BE63B0 21_2_00BE63B0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C084D0 21_2_00C084D0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C4A480 21_2_00C4A480
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C2E430 21_2_00C2E430
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C64550 21_2_00C64550
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BE86B0 21_2_00BE86B0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C306D0 21_2_00C306D0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BE0600 21_2_00BE0600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BF88B0 21_2_00BF88B0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C4A930 21_2_00C4A930
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C34BD0 21_2_00C34BD0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C4AD00 21_2_00C4AD00
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BEAF60 21_2_00BEAF60
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BEF0D0 21_2_00BEF0D0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C2F030 21_2_00C2F030
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BED3A0 21_2_00BED3A0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C8F550 21_2_00C8F550
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C03600 21_2_00C03600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C27600 21_2_00C27600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C23600 21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C01630 21_2_00C01630
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BE5790 21_2_00BE5790
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00B5B8E0 21_2_00B5B8E0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BFDB20 21_2_00BFDB20
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00B59C90 21_2_00B59C90
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BD1C10 21_2_00BD1C10
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C47D00 21_2_00C47D00
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C11F20 21_2_00C11F20
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BE3F40 21_2_00BE3F40
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C720D0 21_2_00C720D0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C460E0 21_2_00C460E0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BD611D 21_2_00BD611D
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C3E170 21_2_00C3E170
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BF4320 21_2_00BF4320
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00B9036F 21_2_00B9036F
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C40450 21_2_00C40450
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C485F0 21_2_00C485F0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BD45E0 21_2_00BD45E0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BA47BF 21_2_00BA47BF
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C42820 21_2_00C42820
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00B8A928 21_2_00B8A928
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C96970 21_2_00C96970
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00B8C960 21_2_00B8C960
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BA8BB0 21_2_00BA8BB0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C48B40 21_2_00C48B40
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C3EC40 21_2_00C3EC40
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C84D40 21_2_00C84D40
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C96D20 21_2_00C96D20
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C56EA0 21_2_00C56EA0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C66EA0 21_2_00C66EA0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif 8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif 8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: String function: 00628A60 appears 42 times
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: String function: 00611A36 appears 34 times
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: String function: 00620C42 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: String function: 00C97510 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: String function: 00671A36 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: String function: 00680C42 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: String function: 00B6ACE0 appears 92 times
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: String function: 00B84380 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: String function: 00688A60 appears 42 times
Source: C:\Users\user\Desktop\External24.exe Code function: String function: 004062CF appears 57 times
PE / OLE file has an invalid certificate
Source: External24.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: External24.exe, 00000000.00000002.1711124595.00000000005FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs External24.exe
Uses 32bit PE files
Source: External24.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@30/75@3/3
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0066A51A GetLastError,FormatMessageW, 15_2_0066A51A
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00658BCC AdjustTokenPrivileges,CloseHandle, 15_2_00658BCC
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0065917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 15_2_0065917C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006B8BCC AdjustTokenPrivileges,CloseHandle, 21_2_006B8BCC
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006B917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 21_2_006B917C
Source: C:\Users\user\Desktop\External24.exe Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044D1
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00620D68 FindCloseChangeNotification,CreateToolhelp32Snapshot, 15_2_00620D68
Source: C:\Users\user\Desktop\External24.exe Code function: 0_2_004024FB CoCreateInstance, 0_2_004024FB
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_006642AA __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 15_2_006642AA
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File created: C:\Users\user\AppData\Local\PixelFlow Creations Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5104:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Mutant created: \Sessions\1\BaseNamedObjects\slickSlideAnd2663
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_03
Source: C:\Users\user\Desktop\External24.exe File created: C:\Users\user\AppData\Local\Temp\nsxDC41.tmp Jump to behavior
Source: External24.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\External24.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Lawyers.pif, Lawyers.pif, 00000015.00000002.3501008072.0000000000B50000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Lawyers.pif, 00000015.00000002.3501008072.0000000000B50000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: LrsRpbnZnzPmLogin Data For Account.21.dr, m5Mie8xKwOWILogin Data.21.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: External24.exe ReversingLabs: Detection: 18%
Source: C:\Users\user\Desktop\External24.exe File read: C:\Users\user\Desktop\External24.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\External24.exe "C:\Users\user\Desktop\External24.exe"
Source: C:\Users\user\Desktop\External24.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 292668
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "towersallowancemeaninghelp" Wine
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Therefore + Physical + Inflation + Inspections + Sharon + Lung + Appearance + Warming + Army + Latinas + Anytime + Wiley + Zoning + Cincinnati + Accidents + Helena 292668\r
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif 292668\Lawyers.pif 292668\r
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 15
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "PixelFlow" /tr "wscript //B 'C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif" "C:\Users\user\AppData\Local\PixelFlow Creations\m"
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Process created: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
Source: C:\Users\user\Desktop\External24.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 292668 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "towersallowancemeaninghelp" Wine Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Therefore + Physical + Inflation + Inspections + Sharon + Lung + Appearance + Warming + Army + Latinas + Anytime + Wiley + Zoning + Cincinnati + Accidents + Helena 292668\r Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif 292668\Lawyers.pif 292668\r Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 15 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "PixelFlow" /tr "wscript //B 'C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js'" /sc onlogon /F /RL HIGHEST Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Process created: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif" "C:\Users\user\AppData\Local\PixelFlow Creations\m" Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: gpedit.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: activeds.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: dssec.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: dsuiext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: framedynos.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: adsldpc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: dsrole.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: authz.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Section loaded: d2d1.dll Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File written: C:\Windows\SysWOW64\GroupPolicy\gpt.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: External24.exe Static file information: File size 2479935 > 1048576
Source: External24.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\External24.exe Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406328
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00628AA5 push ecx; ret 15_2_00628AB8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_0068E86F push edi; ret 21_2_0068E871
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006C88B7 push FFFFFF8Bh; iretd 21_2_006C88B9
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_0068E988 push esi; ret 21_2_0068E98A
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006AEA3E push 00000000h; retn 006Ah 21_2_006AEA4C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00688AA5 push ecx; ret 21_2_00688AB8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_0068EB63 push esi; ret 21_2_0068EB65
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_0067CBDD push eax; retf 21_2_0067CBF8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_0068EC4C push edi; ret 21_2_0068EC4E
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006D72DC push eax; iretd 21_2_006D72DD

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File created: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File created: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "PixelFlow" /tr "wscript //B 'C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js'" /sc onlogon /F /RL HIGHEST
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0068577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 15_2_0068577B
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00615EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 15_2_00615EDA
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006E577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 21_2_006E577B
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00675EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 21_2_00675EDA
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_006232E9 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 15_2_006232E9
Source: C:\Users\user\Desktop\External24.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\External24.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Evasive API call chain: GetPEB, DecisionNodes, Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\External24.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Stalling execution: Execution stalls by calling Sleep
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos, 21_2_00BADB00
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif API coverage: 5.4 %
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif API coverage: 8.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\timeout.exe TID: 6244 Thread sleep count: 122 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif TID: 2800 Thread sleep time: -30101s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C949B0 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 00C949F1h 21_2_00C949B0
Source: C:\Users\user\Desktop\External24.exe Code function: 0_2_00406301 FindFirstFileW,FindClose, 0_2_00406301
Source: C:\Users\user\Desktop\External24.exe Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406CC7
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_006647B7 GetFileAttributesW,FindFirstFileW,FindClose, 15_2_006647B7
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0066F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_0066F8A3
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00663E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_00663E72
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0066C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_0066C16C
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0066CB81 FindFirstFileW,FindClose, 15_2_0066CB81
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0066CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 15_2_0066CC0C
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0066F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_0066F445
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0066F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_0066F5A2
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00663B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_00663B4F
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006CC16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 21_2_006CC16C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006C47B7 GetFileAttributesW,FindFirstFileW,FindClose, 21_2_006C47B7
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006CCB81 FindFirstFileW,FindClose, 21_2_006CCB81
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006CCC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 21_2_006CCC0C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006CF445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 21_2_006CF445
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006CF5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 21_2_006CF5A2
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006CF8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 21_2_006CF8A3
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006C3B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 21_2_006C3B4F
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_006C3E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 21_2_006C3E72
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C16000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose, 21_2_00C16000
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C36770 CreateDirectoryA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 21_2_00C36770
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00B81F9C FindClose,FindFirstFileExW,GetLastError, 21_2_00B81F9C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BE3F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA, 21_2_00BE3F40
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00B82022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 21_2_00B82022
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00615D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 15_2_00615D13
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Thread delayed: delay time: 30101 Jump to behavior
Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}G
Source: Lawyers.pif, 00000015.00000002.3502285683.0000000006176000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000F05000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}>Y0W
Source: Lawyers.pif, 00000015.00000002.3502181741.0000000006120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&0000001.19041.2006_none_d94bc80de1097097\gdiplus.dlllYrc
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501287006.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Lawyers.pif, 00000015.00000002.3502285683.0000000006176000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}txt*N
Source: Lawyers.pif, 00000015.00000002.3502181741.0000000006120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/7rrP9UK+nYJkDUaruLFsmiax3GAXC2Igj63N1koqBHsy38rIIvg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*wT<
Source: Lawyers.pif, 00000015.00000002.3502181741.0000000006154000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_8D4D65C4
Source: Lawyers.pif, 00000015.00000003.2961599363.0000000000F08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWjS
Source: PixelFlow.pif, 0000000F.00000002.1742294834.00000000039DE000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif, 0000000F.00000003.1735274226.00000000039D7000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif, 0000000F.00000003.1734640266.00000000039CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_006743B9 BlockInput, 15_2_006743B9
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00615240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 15_2_00615240
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00635BDC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 15_2_00635BDC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\External24.exe Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406328
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BAA102 mov eax, dword ptr fs:[00000030h] 21_2_00BAA102
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BAA102 mov ecx, dword ptr fs:[00000030h] 21_2_00BAA102
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C186C0 mov eax, dword ptr fs:[00000030h] 21_2_00C186C0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BAA6B7 mov eax, dword ptr fs:[00000030h] 21_2_00BAA6B7
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BAA6B7 mov eax, dword ptr fs:[00000030h] 21_2_00BAA6B7
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BAA6B7 mov eax, dword ptr fs:[00000030h] 21_2_00BAA6B7
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BA95B8 mov eax, dword ptr fs:[00000030h] 21_2_00BA95B8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BA95B8 mov eax, dword ptr fs:[00000030h] 21_2_00BA95B8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BA95B8 mov eax, dword ptr fs:[00000030h] 21_2_00BA95B8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BA95B8 mov ecx, dword ptr fs:[00000030h] 21_2_00BA95B8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h] 21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h] 21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h] 21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h] 21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h] 21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h] 21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h] 21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h] 21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h] 21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h] 21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h] 21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h] 21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BE5790 mov eax, dword ptr fs:[00000030h] 21_2_00BE5790
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BADB00 mov eax, dword ptr fs:[00000030h] 21_2_00BADB00
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00BADB00 mov eax, dword ptr fs:[00000030h] 21_2_00BADB00
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C26280 mov eax, dword ptr fs:[00000030h] 21_2_00C26280
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C1A502 mov eax, dword ptr fs:[00000030h] 21_2_00C1A502
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C1A6B3 mov eax, dword ptr fs:[00000030h] 21_2_00C1A6B3
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C18C58 mov eax, dword ptr fs:[00000030h] 21_2_00C18C58
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C16D80 mov eax, dword ptr fs:[00000030h] 21_2_00C16D80
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_006586B0 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 15_2_006586B0
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0062A2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_0062A2B5
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0062A284 SetUnhandledExceptionFilter, 15_2_0062A284
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_0068A2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 21_2_0068A2B5
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_0068A284 SetUnhandledExceptionFilter, 21_2_0068A284
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00B84184 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 21_2_00B84184
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00B84311 SetUnhandledExceptionFilter, 21_2_00B84311
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00B8451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 21_2_00B8451D
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00B88A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 21_2_00B88A64

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: 21_2_00C1F280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 21_2_00C1F280
Disables Windows Defender (deletes autostart)
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Memory written: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif base: B50000 value starts with: 4D5A Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0065914C LogonUserW, 15_2_0065914C
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00615240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 15_2_00615240
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00661932 SendInput,keybd_event, 15_2_00661932
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0066507B mouse_event, 15_2_0066507B
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\External24.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 292668 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "towersallowancemeaninghelp" Wine Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Therefore + Physical + Inflation + Inspections + Sharon + Lung + Appearance + Warming + Army + Latinas + Anytime + Wiley + Zoning + Cincinnati + Accidents + Helena 292668\r Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif 292668\Lawyers.pif 292668\r Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 15 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Process created: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif" "C:\Users\user\AppData\Local\PixelFlow Creations\m" Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_006586B0 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 15_2_006586B0
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00664D89 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 15_2_00664D89
Source: Lawyers.pif, 0000000A.00000000.1667330345.0000000000715000.00000002.00000001.01000000.00000005.sdmp, Lawyers.pif, 0000000A.00000003.1677686643.00000000047B1000.00000004.00000800.00020000.00000000.sdmp, PixelFlow.pif, 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: PixelFlow.pif, Lawyers.pif Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0062878B cpuid 15_2_0062878B
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 21_2_00C306D0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 21_2_00BA2B5A
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: GetLocaleInfoW, 21_2_00BA2D5F
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Code function: EnumSystemLocalesW, 21_2_00BA2EEC
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0066E0CA GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW, 15_2_0066E0CA
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00640652 GetUserNameW, 15_2_00640652
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_0063409A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 15_2_0063409A
Source: C:\Users\user\Desktop\External24.exe Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00406831
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender real time protection (registry)
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Registry value created: Exclusions_Extensions 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableAntiSpyware 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableRoutinelyTakingAction 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableBehaviorMonitoring 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableOnAccessProtection 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableScanOnRealtimeEnable 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRawWriteNotification 1 Jump to behavior
Exclude list of file types from scheduled, custom, and real-time scanning
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Registry value created: Exclusions_Extensions 1 Jump to behavior
Modifies Group Policy settings
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File written: C:\Windows\System32\GroupPolicy\GPT.INI Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.3035585776.00000000058AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Lawyers.pif PID: 2304, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\7yC9aM3nOPMh37Qvw5GmIXM.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Jaxx\Local Storagep
Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets7
Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets7
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: Lawyers.pif Binary or memory string: WIN_81
Source: Lawyers.pif Binary or memory string: WIN_XP
Source: Lawyers.pif Binary or memory string: WIN_XPe
Source: Concerning.0.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyteP
Source: Lawyers.pif Binary or memory string: WIN_VISTA
Source: Lawyers.pif Binary or memory string: WIN_7
Source: Lawyers.pif Binary or memory string: WIN_8
Yara detected Credential Stealer
Source: Yara match File source: 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Lawyers.pif PID: 2304, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.3035585776.00000000058AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Lawyers.pif PID: 2304, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\7yC9aM3nOPMh37Qvw5GmIXM.zip, type: DROPPED
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00676733 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 15_2_00676733
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif Code function: 15_2_00676BF7 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 15_2_00676BF7