Windows Analysis Report
PmsbthDWFX.exe

Overview

General Information

Sample name: PmsbthDWFX.exe
(renamed file extension from bin to exe, renamed because original name is a hash value)
Original sample name: b53390dba0e0c227341f3c688be3aef91455c4f926e6527af6ce1e4acf74a7b3.bin
Analysis ID: 1591996
MD5: ebf5b897e0e4b90143764fc39e0c5a21
SHA1: 244eb29a512f1cc980bcfdc3bda2c62e1954c6d7
SHA256: b53390dba0e0c227341f3c688be3aef91455c4f926e6527af6ce1e4acf74a7b3
Infos:

Detection

Score: 14
Range: 0 - 100
Whitelisted: false
Confidence: 0%

Compliance

Score: 32
Range: 0 - 100

Signatures

Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
EXE planting / hijacking vulnerabilities found
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Queries device information via Setup API
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Spawns drivers
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F91040 InterlockedIncrement,CryptAcquireContextA,InterlockedIncrement,CryptGenRandom, 2_2_00F91040
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\PmsbthDWFX.exe EXE: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Jump to behavior

Compliance
barindex
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\PmsbthDWFX.exe EXE: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Jump to behavior
Uses 32bit PE files
Source: PmsbthDWFX.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Window detected: AcceptCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing f.lux.Press Page Down to see the rest of the agreement.BY CLICKING ON THE "ACCEPT" BUTTON "YOU" (MEANING YOU PERSONALLY AND NOT A COMPANY OR OTHER CORPORATE ENTITY) ARE CONSENTING TO BE BOUND BY AND ARE BECOMING A PARTY TO THIS LICENSE AGREEMENT ("AGREEMENT"). IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT CLICK THE "CANCEL" BUTTON AND THE DOWNLOAD/INSTALLATION PROCESS WILL NOT CONTINUE. IF THESE TERMS ARE CONSIDERED AN OFFER ACCEPTANCE IS EXPRESSLY LIMITED TO THESE TERMS.GRANT. Subject to your full compliance with all the terms of this Agreement Flux Software LLC ("Company") hereby grants you (and only you) a limited personal non-sublicensable non-transferable royalty-free nonexclusive license to use internally the software that you are about to download or install ("Software") only in accordance with the Company documentation that accompanies it. In addition to any compatible personal devices you may download and install the Software on any compatible work device(s) provided that you (1) obtain all necessary permissions consents and waivers from your employer to do so (2) assume all risks and liabilities relating to the Software on such devices and (3) require your employer to release Company from any and all liability to Company relating to the download installation or use of the Software.RESTRICTIONS. You may not (and agree not to and not authorize or enable others to) directly or indirectly: (a) copy distribute redistribute rent lease mirror timeshare operate a service bureau or otherwise use for the benefit of a third party the Software; (b) disassemble decompile attempt to discover the source code or structure sequence and organization of or otherwise reverse engineer the Software (except to the extent applicable law prohibits restrictions on reverse engineering); (c) remove any proprietary notices from the Software; or (d) bundle the Software with any third party software product or service. You understand that Company may modify or discontinue offering the Software at any time. For the avoidance of doubt the foregoing restrictions apply to any company or corporate entity (or its affiliates or agents acting on its behalf) (each an "Entity") and no Entity shall download or install the Software for the purposes of mirroring or distributing it to its employees or otherwise.SUPPORT AND UPGRADES. This Agreement does not entitle you to any support upgrades patches enhancements or fixes for the Software (collectively "Support"). The Software may automatically download and install updates from time to time on the device(s) that you have downloaded and installed the Software on. You agree to receive any such updates and any Support and/or updates for the Software that may be made available by Company shall become part of the Software and subject to this Agreement. The Company reserves the right in its
Source: PmsbthDWFX.exe Static PE information: certificate valid
Source: Binary string: c:\Users\mherf\git\projects\flux\NoAccount\flux.pdb source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr
Source: Binary string: c:\Users\mherf\git\projects\flux\NoAccount\flux.pdb$ source: flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: c:\Users\mherf\git\projects\flux\NoAccount\flux.pdb$ N, source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe.0.dr
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Code function: 0_2_00405E93 FindFirstFileA,FindClose, 0_2_00405E93
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054BD
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F92780 __wsplitpath,InterlockedDecrement,InterlockedIncrement,DeleteUrlCacheEntry,__makepath_s,URLDownloadToFileA,__makepath_s,GetFileAttributesA,InterlockedDecrement,InterlockedIncrement,InterlockedDecrement,InterlockedIncrement,InterlockedDecrement,InterlockedIncrement, 2_2_00F92780
Source: global traffic DNS traffic detected: DNS query: api.msn.com
Source: PmsbthDWFX.exe, flux.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: PmsbthDWFX.exe, flux.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: PmsbthDWFX.exe, flux.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: PmsbthDWFX.exe, flux.exe.0.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: PmsbthDWFX.exe, flux.exe.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: PmsbthDWFX.exe, flux.exe.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: PmsbthDWFX.exe, flux.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: PmsbthDWFX.exe, flux.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: PmsbthDWFX.exe, flux.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: PmsbthDWFX.exe, flux.exe.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: PmsbthDWFX.exe, flux.exe.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: PmsbthDWFX.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: PmsbthDWFX.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: PmsbthDWFX.exe, flux.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: PmsbthDWFX.exe, flux.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: PmsbthDWFX.exe, flux.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: PmsbthDWFX.exe, flux.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: PmsbthDWFX.exe, flux.exe.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://api.fluxometer.com
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://api.fluxometer.comtruessdp:allPhilips
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://apihttps://%d-%d-%s%sauth/reset.postPOSTownersettingssensoractivity%s/auth/create?name=anon%
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://discovery.meethue.com/
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://discovery.meethue.com/internalipaddresshttp://%s/upnphue//lights/ctbrinot
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://fluxometer.com/
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://fluxometer.com/disableoffermessageurlpromoexpirepopsilentwebf.luxdeviceanondevicefor
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/crash
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/crashf.lux
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/f.lux
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/geo
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/geollUseWinLocation
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/offer/windows.json
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/update/v4/
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/update/v4/windows-beta.jsonhttps://justgetflux.com/update/v4/windows.jsonhtt
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/update/v4/windows.json
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/windows/contribute.html
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/windows/contribute.htmlMake
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/windows/forum.html
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/windows/forum.htmlVisit
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/windows/lights.html
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/windows/lights.htmlalarmhotkeysSurfaceKeysDisableUpdateSlowFadeWideSliderUse
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/windows/moreabout.html
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/windows/moreabout.htmlfluxometer.com:
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/windows/preset.json
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/windows/release.html
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/windows/release.htmlRead
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/windows/support.html
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/windows/support.htmlRead
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/windows/watchdog.html
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/windows/watchdog.html/crashflux/cam
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/winmap.html
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr String found in binary or memory: https://justgetflux.com/winmap.html%s?lat=%f&lng=%f%s?geo=%sredirlatlngZIP
Source: PmsbthDWFX.exe, flux.exe.0.dr String found in binary or memory: https://sectigo.com/CPS0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Code function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404FC2
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F718D0 InterlockedIncrement,InterlockedDecrement,InterlockedIncrement,InterlockedDecrement,InterlockedDecrement,InterlockedIncrement,InterlockedDecrement,InterlockedIncrement,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,MessageBoxA,IsWindow,IsWindowVisible,PostMessageA,InterlockedDecrement,InterlockedDecrement,InterlockedIncrement,InterlockedDecrement,InterlockedIncrement,InterlockedDecrement,InterlockedIncrement, 2_2_00F718D0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F71BE8 InterlockedIncrement,InterlockedDecrement,InterlockedIncrement,InterlockedDecrement,InterlockedDecrement,InterlockedIncrement,InterlockedDecrement,InterlockedIncrement,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,MessageBoxA,IsWindow,IsWindowVisible,PostMessageA,InterlockedDecrement,InterlockedDecrement,InterlockedIncrement,InterlockedDecrement,InterlockedIncrement,InterlockedDecrement,InterlockedIncrement, 2_2_00F71BE8
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F71B47 InterlockedIncrement,InterlockedDecrement,InterlockedIncrement,InterlockedDecrement,InterlockedDecrement,InterlockedIncrement,InterlockedDecrement,InterlockedIncrement,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,MessageBoxA,IsWindow,IsWindowVisible,PostMessageA,InterlockedDecrement,InterlockedDecrement,InterlockedIncrement,InterlockedDecrement,InterlockedIncrement,InterlockedDecrement,InterlockedIncrement, 2_2_00F71B47
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F71D66 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,MessageBoxA,IsWindow,IsWindowVisible,PostMessageA,InterlockedDecrement,InterlockedDecrement,InterlockedIncrement,InterlockedDecrement,InterlockedIncrement,InterlockedDecrement,InterlockedIncrement, 2_2_00F71D66
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F7C0D0 GetCursorPos,GetCursorPos,GetCursorPos,ClientToScreen,InterlockedDecrement,InterlockedIncrement,__time64,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState, 2_2_00F7C0D0
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Code function: 0_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary, 0_2_100010D0
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030FB
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F877C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx, 2_2_00F877C0
Detected potential crypto function
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Code function: 0_2_004047D3 0_2_004047D3
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Code function: 0_2_004061D4 0_2_004061D4
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FB60E0 2_2_00FB60E0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F7C0D0 2_2_00F7C0D0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FD61E0 2_2_00FD61E0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_0101604E 2_2_0101604E
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FB8130 2_2_00FB8130
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F6A2C0 2_2_00F6A2C0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F74240 2_2_00F74240
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FE6320 2_2_00FE6320
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F88500 2_2_00F88500
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F866F0 2_2_00F866F0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_01002778 2_2_01002778
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FD465C 2_2_00FD465C
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F90780 2_2_00F90780
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FE4740 2_2_00FE4740
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_0100E6D0 2_2_0100E6D0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F8E700 2_2_00F8E700
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FE08E0 2_2_00FE08E0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FB88B7 2_2_00FB88B7
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FB8870 2_2_00FB8870
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FDE830 2_2_00FDE830
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F769F0 2_2_00F769F0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FAC9B0 2_2_00FAC9B0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FE4940 2_2_00FE4940
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F9AAE0 2_2_00F9AAE0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FD4A80 2_2_00FD4A80
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FB8A30 2_2_00FB8A30
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FD0BD0 2_2_00FD0BD0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FD4B0B 2_2_00FD4B0B
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_01010D12 2_2_01010D12
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FE4CB0 2_2_00FE4CB0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FCCC50 2_2_00FCCC50
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FD8C20 2_2_00FD8C20
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_0100EC14 2_2_0100EC14
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FE8D40 2_2_00FE8D40
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FE8E50 2_2_00FE8E50
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F8CE40 2_2_00F8CE40
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FAAFE0 2_2_00FAAFE0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FEAFE0 2_2_00FEAFE0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F96F00 2_2_00F96F00
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_0100F158 2_2_0100F158
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F83090 2_2_00F83090
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F731EB 2_2_00F731EB
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F73140 2_2_00F73140
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FC5100 2_2_00FC5100
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FB3230 2_2_00FB3230
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F773C9 2_2_00F773C9
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FD738E 2_2_00FD738E
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F7336E 2_2_00F7336E
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_0100D2E6 2_2_0100D2E6
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FA54E0 2_2_00FA54E0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F8D459 2_2_00F8D459
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FB9420 2_2_00FB9420
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FAF590 2_2_00FAF590
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_01005713 2_2_01005713
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FE56C0 2_2_00FE56C0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FB76A0 2_2_00FB76A0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F67600 2_2_00F67600
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F6D7F0 2_2_00F6D7F0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_01013649 2_2_01013649
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FCD7A0 2_2_00FCD7A0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F95740 2_2_00F95740
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F718D0 2_2_00F718D0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FE3970 2_2_00FE3970
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FADAE0 2_2_00FADAE0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FD9CC9 2_2_00FD9CC9
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FC1C40 2_2_00FC1C40
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F91D10 2_2_00F91D10
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F6FEA0 2_2_00F6FEA0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FD7FE0 2_2_00FD7FE0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FEBF40 2_2_00FEBF40
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FD3F30 2_2_00FD3F30
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: String function: 00F61480 appears 36 times
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: String function: 00F61920 appears 38 times
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: String function: 00FAEA60 appears 38 times
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: String function: 01002D40 appears 50 times
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: String function: 00F61310 appears 40 times
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: String function: 00F7E8C0 appears 65 times
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: String function: 00FFD4B4 appears 69 times
Sample file is different than original file name gathered from version info
Source: PmsbthDWFX.exe, 00000000.00000003.2119675903.000000000290A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameflux.exe, vs PmsbthDWFX.exe
Spawns drivers
Source: unknown Driver loaded: C:\Windows\System32\cdd.dll
Uses 32bit PE files
Source: PmsbthDWFX.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: clean14.winEXE@12/5@1/0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FA6F00 GetLastError,FormatMessageA,MessageBoxA,LocalFree, 2_2_00FA6F00
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F877C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx, 2_2_00F877C0
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Code function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404292
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Code function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar, 0_2_00402053
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FC3D10 lstrlenW,_malloc,WideCharToMultiByte,LoadLibraryExA,FindResourceA,LoadResource,SizeofResource,FreeLibrary, 2_2_00FC3D10
Source: C:\Users\user\Desktop\PmsbthDWFX.exe File created: C:\Users\user\AppData\Local\FluxSoftware Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe File created: C:\Users\user\AppData\Local\Temp\nsr7DE9.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Command line argument: /silentunlock 2_2_00F7DF30
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Command line argument: /unlockwingamma 2_2_00F7DF30
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Command line argument: /silentlock 2_2_00F7DF30
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Command line argument: /lockwingamma 2_2_00F7DF30
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Command line argument: /crash 2_2_00F7DF30
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Command line argument: F.lux 2_2_00F7DF30
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Command line argument: noshow 2_2_00F7DF30
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Command line argument: /crash 2_2_00F7DF30
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Command line argument: flux/#fluxicon 2_2_00F7DF30
Source: PmsbthDWFX.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PmsbthDWFX.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe File read: C:\Users\user\Desktop\PmsbthDWFX.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PmsbthDWFX.exe "C:\Users\user\Desktop\PmsbthDWFX.exe"
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Process created: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe "C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe" /unlockwingamma
Source: unknown Process created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x4 /state0:0xa3f8a055 /state1:0x41c64e6d
Source: unknown Process created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
Source: unknown Process created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f96055 /state1:0x41c64e6d
Source: unknown Process created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f9e855 /state1:0x41c64e6d
Source: unknown Process created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
Source: unknown Process created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3fae055 /state1:0x41c64e6d
Source: unknown Process created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
Source: unknown Process created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
Source: unknown Process created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3fb5855 /state1:0x41c64e6d
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Process created: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe "C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe" /unlockwingamma Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: dxva2.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: magnification.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: logoncontroller.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.ui.logon.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: wincorlib.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.ui.xamlhost.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: languageoverlayutil.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.ui.xaml.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: directmanipulation.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.ui.xaml.controls.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: logoncontroller.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: logoncontroller.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: logoncontroller.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: logoncontroller.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Window detected: AcceptCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing f.lux.Press Page Down to see the rest of the agreement.BY CLICKING ON THE "ACCEPT" BUTTON "YOU" (MEANING YOU PERSONALLY AND NOT A COMPANY OR OTHER CORPORATE ENTITY) ARE CONSENTING TO BE BOUND BY AND ARE BECOMING A PARTY TO THIS LICENSE AGREEMENT ("AGREEMENT"). IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT CLICK THE "CANCEL" BUTTON AND THE DOWNLOAD/INSTALLATION PROCESS WILL NOT CONTINUE. IF THESE TERMS ARE CONSIDERED AN OFFER ACCEPTANCE IS EXPRESSLY LIMITED TO THESE TERMS.GRANT. Subject to your full compliance with all the terms of this Agreement Flux Software LLC ("Company") hereby grants you (and only you) a limited personal non-sublicensable non-transferable royalty-free nonexclusive license to use internally the software that you are about to download or install ("Software") only in accordance with the Company documentation that accompanies it. In addition to any compatible personal devices you may download and install the Software on any compatible work device(s) provided that you (1) obtain all necessary permissions consents and waivers from your employer to do so (2) assume all risks and liabilities relating to the Software on such devices and (3) require your employer to release Company from any and all liability to Company relating to the download installation or use of the Software.RESTRICTIONS. You may not (and agree not to and not authorize or enable others to) directly or indirectly: (a) copy distribute redistribute rent lease mirror timeshare operate a service bureau or otherwise use for the benefit of a third party the Software; (b) disassemble decompile attempt to discover the source code or structure sequence and organization of or otherwise reverse engineer the Software (except to the extent applicable law prohibits restrictions on reverse engineering); (c) remove any proprietary notices from the Software; or (d) bundle the Software with any third party software product or service. You understand that Company may modify or discontinue offering the Software at any time. For the avoidance of doubt the foregoing restrictions apply to any company or corporate entity (or its affiliates or agents acting on its behalf) (each an "Entity") and no Entity shall download or install the Software for the purposes of mirroring or distributing it to its employees or otherwise.SUPPORT AND UPGRADES. This Agreement does not entitle you to any support upgrades patches enhancements or fixes for the Software (collectively "Support"). The Software may automatically download and install updates from time to time on the device(s) that you have downloaded and installed the Software on. You agree to receive any such updates and any Support and/or updates for the Software that may be made available by Company shall become part of the Software and subject to this Agreement. The Company reserves the right in its
Source: PmsbthDWFX.exe Static PE information: certificate valid
Source: Binary string: c:\Users\mherf\git\projects\flux\NoAccount\flux.pdb source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe.0.dr
Source: Binary string: c:\Users\mherf\git\projects\flux\NoAccount\flux.pdb$ source: flux.exe, 00000002.00000000.2121852792.0000000001018000.00000002.00000001.01000000.00000007.sdmp, flux.exe, 00000002.00000002.2232227236.0000000001018000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: c:\Users\mherf\git\projects\flux\NoAccount\flux.pdb$ N, source: PmsbthDWFX.exe, 00000000.00000003.2119675903.0000000002800000.00000004.00000020.00020000.00000000.sdmp, flux.exe.0.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Code function: 0_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary, 0_2_100010D0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_01002D85 push ecx; ret 2_2_01002D98
Drops PE files
Source: C:\Users\user\Desktop\PmsbthDWFX.exe File created: C:\Users\user\AppData\Local\Temp\nsp91D0.tmp\nsProcess.dll Jump to dropped file
Source: C:\Users\user\Desktop\PmsbthDWFX.exe File created: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FCF160 IsIconic,ShowWindow,DialogBoxParamA, 2_2_00FCF160
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FA4EC0 IsWindowVisible,IsIconic,GetCurrentThreadId,ShowWindowAsync,ShowWindow,SetForegroundWindow, 2_2_00FA4EC0
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to read device registry values (via SetupAPI)
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FB76A0 SetupDiGetClassDevsExA,SetupDiEnumDeviceInfo,SetupDiOpenDevRegKey,RegQueryValueExA,RegCloseKey,_memset,SetupDiGetDeviceRegistryPropertyA,InterlockedDecrement,InterlockedIncrement,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList, 2_2_00FB76A0
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsp91D0.tmp\nsProcess.dll Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe API coverage: 1.0 %
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Code function: 0_2_00405E93 FindFirstFileA,FindClose, 0_2_00405E93
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054BD
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_01000826 VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect, 2_2_01000826
Source: C:\Users\user\Desktop\PmsbthDWFX.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\PmsbthDWFX.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\cdd.dll System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FFCEB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00FFCEB0
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_01000826 VirtualProtect ?,-00000001,00000104,? 2_2_01000826
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Code function: 0_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary, 0_2_100010D0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_01012175 GetProcessHeap,HeapFree, 2_2_01012175
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_01004780 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_01004780
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FFCEB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00FFCEB0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_01009011 SetUnhandledExceptionFilter, 2_2_01009011
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_01003D65 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_01003D65
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FEA890 cpuid 2_2_00FEA890
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: GetLocaleInfoA, 2_2_010101FA
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, 2_2_00FA8920
Queries device information via Setup API
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FB76A0 SetupDiGetClassDevsExA,SetupDiEnumDeviceInfo,SetupDiOpenDevRegKey,RegQueryValueExA,RegCloseKey,_memset,SetupDiGetDeviceRegistryPropertyA,InterlockedDecrement,InterlockedIncrement,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList, 2_2_00FB76A0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\LogonUI.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F728E0 SystemParametersInfoA,GetLocalTime,SystemTimeToVariantTime, 2_2_00F728E0
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00FA9B60 FileTimeToSystemTime,_memset,GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,SystemTimeToFileTime,__aulldiv,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__aulldiv,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 2_2_00FA9B60
Source: C:\Users\user\Desktop\PmsbthDWFX.exe Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030FB
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\FluxSoftware\Flux\flux.exe Code function: 2_2_00F8F840 WSAStartup,socket,#21,bind, 2_2_00F8F840
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1591996 Sample: PmsbthDWFX.bin Startdate: 15/01/2025 Architecture: WINDOWS Score: 14 21 bg.microsoft.map.fastly.net 2->21 23 api.msn.com 2->23 6 PmsbthDWFX.exe 24 2->6         started        9 LogonUI.exe 2->9         started        11 LogonUI.exe 2->11         started        13 11 other processes 2->13 process3 file4 17 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 6->17 dropped 19 C:\Users\user\AppData\Local\...\flux.exe, PE32 6->19 dropped 15 flux.exe 2 6->15         started        process5
No contacted IP infos

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
api.msn.com unknown unknown