Edit tour

Windows Analysis Report
LPO-2024-357.exe

Overview

General Information

Sample name:	LPO-2024-357.exe
Analysis ID:	1565672
MD5:	b15e3e1eb0abfb4967c65bf33665fcbb
SHA1:	fcd702629c1e38b7d08df3628920c22d4dab9a40
SHA256:	137e0a944efefef514d0595cdfade088a59eb12404a1469e76cd024ebdb2d1f1
Tags:	exeuser-threatcat_ch
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

LPO-2024-357.exe (PID: 6516 cmdline: "C:\Users\user\Desktop\LPO-2024-357.exe" MD5: B15E3E1EB0ABFB4967C65BF33665FCBB)

powershell.exe (PID: 3844 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LPO-2024-357.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7096 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

LPO-2024-357.exe (PID: 4348 cmdline: "C:\Users\user\Desktop\LPO-2024-357.exe" MD5: B15E3E1EB0ABFB4967C65BF33665FCBB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": "     *o9H+18Q4%;M     "}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2923605654.000000000287A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1700975172.00000000079A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.2921447380.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.1694260808.0000000003B01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1694260808.0000000003B42000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.2923605654.0000000002821000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2923605654.0000000002821000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1690208458.0000000002B4F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: LPO-2024-357.exe PID: 6516	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: LPO-2024-357.exe PID: 4348	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: LPO-2024-357.exe PID: 4348	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.LPO-2024-357.exe.3d0a078.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.LPO-2024-357.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.LPO-2024-357.exe.3d33098.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.LPO-2024-357.exe.79a0000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.LPO-2024-357.exe.2dac680.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.LPO-2024-357.exe.79a0000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.LPO-2024-357.exe.3d33098.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.LPO-2024-357.exe.3d0a078.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.LPO-2024-357.exe.2dac680.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LPO-2024-357.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LPO-2024-357.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LPO-2024-357.exe", ParentImage: C:\Users\user\Desktop\LPO-2024-357.exe, ParentProcessId: 6516, ParentProcessName: LPO-2024-357.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LPO-2024-357.exe", ProcessId: 3844, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 199.79.62.115, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\LPO-2024-357.exe, Initiated: true, ProcessId: 4348, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49734

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LPO-2024-357.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LPO-2024-357.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LPO-2024-357.exe", ParentImage: C:\Users\user\Desktop\LPO-2024-357.exe, ParentProcessId: 6516, ParentProcessName: LPO-2024-357.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LPO-2024-357.exe", ProcessId: 3844, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE AgentTesla Exfil Via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-30T14:19:39.797227+0100	2030171	1	A Network Trojan was detected	192.168.2.4	49734	199.79.62.115	587	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-30T14:18:05.436393+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49734	199.79.62.115	587	TCP

ETPRO MALWARE Agent Tesla Exfil via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-30T14:18:05.436393+0100	2855245	1	A Network Trojan was detected	192.168.2.4	49734	199.79.62.115	587	TCP

ETPRO MALWARE Win32/Agent Tesla SMTP Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-30T14:19:39.797227+0100	2839723	1	Malware Command and Control Activity Detected	192.168.2.4	49734	199.79.62.115	587	TCP

ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-30T14:19:39.797227+0100	2840032	1	A Network Trojan was detected	192.168.2.4	49734	199.79.62.115	587	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": " *o9H+18Q4%;M "}

Multi AV Scanner detection for submitted file

Source: LPO-2024-357.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: LPO-2024-357.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: /log.tmp
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <br>[
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ]<br>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <br>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Time:
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <br>User Name:
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <br>Computer Name:
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <br>OSFullName:
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <br>CPU:
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <br>RAM:
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <br>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: IP Address:
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <br>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <hr>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: New
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: IP Address:
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: false
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: false
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: false
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: false
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: false
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: false
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: false
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: false
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: false
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: mail.mbarieservicesltd.com
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: saless@mbarieservicesltd.com
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: *o9H+18Q4%;M
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: iinfo@mbarieservicesltd.com
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: false
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: false
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: appdata
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: KTvkzEc
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: KTvkzEc.exe
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: KTvkzEc
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Type
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <br>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <hr>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <br>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <b>[
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ]</b> (
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: )<br>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {BACK}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {ALT+TAB}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {ALT+F4}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {TAB}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {ESC}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {Win}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {CAPSLOCK}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {KEYUP}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {KEYDOWN}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {KEYLEFT}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {KEYRIGHT}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {DEL}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {END}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {HOME}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {Insert}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {NumLock}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {PageDown}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {PageUp}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {ENTER}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {F1}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {F2}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {F3}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {F4}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {F5}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {F6}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {F7}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {F8}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {F9}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {F10}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {F11}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {F12}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: control
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {CTRL}
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: &
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: >
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: "
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <hr>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: logins
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: IE/Edge
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Windows Secure Note
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Windows Web Password Credential
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Windows Credential Picker Protector
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Web Credentials
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Windows Credentials
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Windows Domain Certificate Credential
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Windows Domain Password Credential
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Windows Extended Credential
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SchemaId
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: pResourceElement
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: pIdentityElement
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: pPackageSid
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: IE/Edge
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: UC Browser
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: UCBrowser\
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Login Data
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: journal
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: wow_logins
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Safari for Windows
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <array>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <dict>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <string>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: </string>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <string>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: </string>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <data>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: </data>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: -convert xml1 -s -o "
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \fixed_keychain.xml"
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Microsoft\Protect\
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: credential
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: QQ Browser
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Default\EncryptedStorage
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Profile
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \EncryptedStorage
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: entries
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: category
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: str3
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: str2
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: blob0
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: password_value
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: IncrediMail
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: PopPassword
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SmtpPassword
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Accounts_New
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: PopPassword
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SmtpPassword
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SmtpServer
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: EmailAddress
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Eudora
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: current
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Settings
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SavePasswordText
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Settings
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ReturnAddress
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Falkon Browser
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \falkon\profiles\
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: profiles.ini
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: profiles.ini
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \browsedata.db
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: autofill
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ClawsMail
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Claws-mail
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \clawsrc
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \clawsrc
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: passkey0
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \accountrc
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: smtp_server
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: address
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: account
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \passwordstorerc
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: {(.),(.)}(.*)
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Flock Browser
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: APPDATA
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Flock\Browser\
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: signons3.txt
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: DynDns
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: username=
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: password=
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: https://account.dyn.com/
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: t6KzXhCh
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: global
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: accounts
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: account.
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: username
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: account.
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Psi/Psi+
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: name
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Psi/Psi+
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: APPDATA
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Psi\profiles
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: APPDATA
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Psi+\profiles
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \accounts.xml
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \accounts.xml
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: OpenVPN
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: username
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: auth-data
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: entropy
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: USERPROFILE
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \OpenVPN\config\
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: remote
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: remote
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: NordVPN
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: NordVPN
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: NordVpn.exe*
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: user.config
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: //setting[@name='Username']/value
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: NordVPN
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Private Internet Access
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: %ProgramW6432%
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Private Internet Access\data
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Private Internet Access\data
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \account.json
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ."username":"(.?)"
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ."password":"(.?)"
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Private Internet Access
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: privateinternetaccess.com
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: FileZilla
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: APPDATA
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: APPDATA
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <Server>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <Host>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <Host>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: </Host>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <Port>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: </Port>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <User>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <User>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: </User>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: </Pass>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <Pass>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: </Pass>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: CoreFTP
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: User
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Host
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Port
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: hdfzpysvpzimorhk
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: WinSCP
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: HostName
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: UserName
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: PublicKeyFile
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: PortNumber
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: WinSCP
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ABCDEF
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Flash FXP
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: port
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: user
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: pass
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: quick.dat
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Sites.dat
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \FlashFXP\
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \FlashFXP\
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: FTP Navigator
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SystemDrive
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Server
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: No Password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: User
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SmartFTP
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: APPDATA
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: WS_FTP
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: appdata
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: HOST
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: PWD=
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: PWD=
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: FtpCommander
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SystemDrive
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SystemDrive
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SystemDrive
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \cftp\Ftplist.txt
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ;Password=
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ;User=
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ;Server=
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ;Port=
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ;Port=
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ;Password=
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ;User=
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ;Anonymous=
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: FTPGetter
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \FTPGetter\servers.xml
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <server>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <server_ip>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <server_ip>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: </server_ip>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <server_port>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: </server_port>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <server_user_name>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <server_user_name>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: </server_user_name>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <server_user_password>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: <server_user_password>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: </server_user_password>
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: FTPGetter
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: The Bat!
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: appdata
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \The Bat!
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Account.CFN
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Account.CFN
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Becky!
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: DataDir
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Folder.lst
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Mailbox.ini
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Account
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: PassWd
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Account
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SMTPServer
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Account
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: MailAddress
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Becky!
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Outlook
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Email
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: IMAP Password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: POP3 Password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: HTTP Password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SMTP Password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Email
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Email
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Email
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: IMAP Password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: POP3 Password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: HTTP Password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SMTP Password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Server
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Windows Mail App
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Email
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Server
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SchemaId
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: pResourceElement
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: pIdentityElement
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: pPackageSid
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: syncpassword
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: mailoutgoing
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: FoxMail
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Executable
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: FoxmailPath
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Storage\
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Storage\
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \mail
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \mail
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Account.stg
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Account.stg
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: POP3Host
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SMTPHost
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: IncomingServer
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Account
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: MailAddress
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: POP3Password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Opera Mail
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: opera:
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: PocoMail
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: appdata
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Pocomail\accounts.ini
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Email
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: POPPass
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SMTPPass
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SMTP
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: eM Client
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: eM Client\accounts.dat
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: eM Client
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Accounts
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: "Username":"
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: "Secret":"
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: "ProviderName":"
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: o6806642kbM7c5
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Mailbird
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SenderIdentities
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Accounts
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Server_Host
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Accounts
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Email
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Username
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: EncryptedPassword
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Mailbird
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: RealVNC 4.x
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: RealVNC 3.x
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: RealVNC 4.x
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: RealVNC 3.x
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Software\ORL\WinVNC3
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: TightVNC
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: TightVNC
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: PasswordViewOnly
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: TightVNC ControlPassword
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ControlPassword
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: TigerVNC
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Software\TigerVNC\Server
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Password
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: UltraVNC
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: passwd
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: UltraVNC
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: passwd2
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: UltraVNC
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ProgramFiles
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: passwd
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: UltraVNC
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ProgramFiles
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: passwd2
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: UltraVNC
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ProgramFiles
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: passwd
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: UltraVNC
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ProgramFiles
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: passwd2
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: UltraVNC
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: passwd
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: UltraVNC
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: passwd2
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: JDownloader 2.0
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: JDownloader 2.0\cfg
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: JDownloader 2.0\cfg
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Paltalk
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: Software\A.V.M.\Paltalk NG\common_settings\core\users\creds\
Source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack	String decryptor: nickname

Source: LPO-2024-357.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: LPO-2024-357.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: htrC.pdb source: LPO-2024-357.exe
Source:	Binary string: htrC.pdbSHA256V<2 source: LPO-2024-357.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.4:49734 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49734 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49734 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49734 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49734 -> 199.79.62.115:587

Source: global traffic

TCP traffic: 192.168.2.4:49734 -> 199.79.62.115:587

Source: Joe Sandbox View

IP Address: 199.79.62.115 199.79.62.115

Source: global traffic

TCP traffic: 192.168.2.4:49734 -> 199.79.62.115:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.mbarieservicesltd.com

Source: LPO-2024-357.exe, 00000004.00000002.2923605654.000000000287A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.mbarieservicesltd.com
Source: LPO-2024-357.exe, 00000000.00000002.1690208458.0000000002B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_07B0C820 NtUnmapViewOfSection,		0_2_07B0C820
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_07B0C818 NtUnmapViewOfSection,		0_2_07B0C818

Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_0103DF74	0_2_0103DF74
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_076421F0	0_2_076421F0
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_07641F3C	0_2_07641F3C
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_0764CDE7	0_2_0764CDE7
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_0764CDE8	0_2_0764CDE8
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_07B02718	0_2_07B02718
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_07B02C40	0_2_07B02C40
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_07B0270B	0_2_07B0270B
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_07B0B758	0_2_07B0B758
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_07B096E8	0_2_07B096E8
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_07B0C158	0_2_07B0C158
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_07B00006	0_2_07B00006
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_07B00040	0_2_07B00040
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_07B09F58	0_2_07B09F58
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_07B02D16	0_2_07B02D16
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_07B02C33	0_2_07B02C33
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_07B09B20	0_2_07B09B20
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_09110EB4	0_2_09110EB4
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_0911F158	0_2_0911F158
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_0911F147	0_2_0911F147
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_0911F3F0	0_2_0911F3F0
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_00D74140	4_2_00D74140
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_00D74D58	4_2_00D74D58
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_00D74488	4_2_00D74488
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_05ED3D9C	4_2_05ED3D9C
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_05ED8E08	4_2_05ED8E08

Source: LPO-2024-357.exe, 00000000.00000002.1700975172.00000000079A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs LPO-2024-357.exe
Source: LPO-2024-357.exe, 00000000.00000002.1694260808.0000000003B42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs LPO-2024-357.exe
Source: LPO-2024-357.exe, 00000000.00000002.1694260808.0000000003B42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs LPO-2024-357.exe
Source: LPO-2024-357.exe, 00000000.00000000.1656640584.00000000007F0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehtrC.exeN vs LPO-2024-357.exe
Source: LPO-2024-357.exe, 00000000.00000002.1684821524.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs LPO-2024-357.exe
Source: LPO-2024-357.exe, 00000000.00000002.1690208458.0000000002B4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs LPO-2024-357.exe
Source: LPO-2024-357.exe, 00000000.00000002.1694260808.0000000003B01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs LPO-2024-357.exe
Source: LPO-2024-357.exe, 00000000.00000002.1690208458.0000000002B46000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs LPO-2024-357.exe
Source: LPO-2024-357.exe, 00000000.00000002.1701671447.0000000009210000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs LPO-2024-357.exe
Source: LPO-2024-357.exe, 00000004.00000002.2921447380.000000000042C000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs LPO-2024-357.exe
Source: LPO-2024-357.exe, 00000004.00000002.2921731470.00000000008F9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs LPO-2024-357.exe
Source: LPO-2024-357.exe	Binary or memory string: OriginalFilenamehtrC.exeN vs LPO-2024-357.exe

Source: LPO-2024-357.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: LPO-2024-357.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.LPO-2024-357.exe.79a0000.4.raw.unpack, kAOj1Y7pfP90kycNNw.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.LPO-2024-357.exe.2dac680.0.raw.unpack, kAOj1Y7pfP90kycNNw.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.LPO-2024-357.exe.3d0a078.1.raw.unpack, O.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LPO-2024-357.exe.3d0a078.1.raw.unpack, O.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.LPO-2024-357.exe.3d0a078.1.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LPO-2024-357.exe.3d0a078.1.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LPO-2024-357.exe.3d0a078.1.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LPO-2024-357.exe.3d0a078.1.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LPO-2024-357.exe.3d0a078.1.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LPO-2024-357.exe.3d0a078.1.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, o90pySpvXwWvR2PmHy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, ReVixo9FXbxWPDnqBj.cs	Security API names: _0020.SetAccessControl
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, ReVixo9FXbxWPDnqBj.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, ReVixo9FXbxWPDnqBj.cs	Security API names: _0020.AddAccessRule
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, o90pySpvXwWvR2PmHy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, ReVixo9FXbxWPDnqBj.cs	Security API names: _0020.SetAccessControl
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, ReVixo9FXbxWPDnqBj.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, ReVixo9FXbxWPDnqBj.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@3/1

Source: C:\Users\user\Desktop\LPO-2024-357.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LPO-2024-357.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\LPO-2024-357.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3do5jaz2.mem.ps1

Jump to behavior

Source: LPO-2024-357.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: LPO-2024-357.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\LPO-2024-357.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\LPO-2024-357.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\LPO-2024-357.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LPO-2024-357.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LPO-2024-357.exe

ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\LPO-2024-357.exe "C:\Users\user\Desktop\LPO-2024-357.exe"
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LPO-2024-357.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process created: C:\Users\user\Desktop\LPO-2024-357.exe "C:\Users\user\Desktop\LPO-2024-357.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LPO-2024-357.exe"	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process created: C:\Users\user\Desktop\LPO-2024-357.exe "C:\Users\user\Desktop\LPO-2024-357.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\LPO-2024-357.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\LPO-2024-357.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\LPO-2024-357.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: LPO-2024-357.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: LPO-2024-357.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: LPO-2024-357.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: htrC.pdb source: LPO-2024-357.exe
Source:	Binary string: htrC.pdbSHA256V<2 source: LPO-2024-357.exe

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.LPO-2024-357.exe.79a0000.4.raw.unpack, kAOj1Y7pfP90kycNNw.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.LPO-2024-357.exe.2dac680.0.raw.unpack, kAOj1Y7pfP90kycNNw.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.LPO-2024-357.exe.79a0000.4.raw.unpack, GtaAIbrHXObmMm8GPA.cs	.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, ReVixo9FXbxWPDnqBj.cs	.Net Code: lYhuqjr8xB System.Reflection.Assembly.Load(byte[])
Source: 0.2.LPO-2024-357.exe.2dac680.0.raw.unpack, GtaAIbrHXObmMm8GPA.cs	.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, ReVixo9FXbxWPDnqBj.cs	.Net Code: lYhuqjr8xB System.Reflection.Assembly.Load(byte[])

Source: LPO-2024-357.exe

Static PE information: 0xD373E82A [Tue Jun 2 01:17:30 2082 UTC]

Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 0_2_07B02C30 pushad ; iretd	0_2_07B02C31
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_004029C9 pushfd ; ret	4_2_00402B30
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_0040294A pushfd ; ret	4_2_00402957
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_0040784E pushfd ; ret	4_2_0040784F
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_0040354F pushfd ; ret	4_2_00403550
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_00402959 pushfd ; ret	4_2_00402975
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_0040865B pushfd ; ret	4_2_0040865C
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_004098EC pushfd ; ret	4_2_004099A3
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_00402977 pushfd ; ret	4_2_00402998
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_004066FC pushfd ; ret	4_2_00406763
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_00403E01 push esi; retf	4_2_00403E0C
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_00403706 pushfd ; ret	4_2_00403707
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_00406291 pushfd ; ret	4_2_00406293
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_0040299A pushfd ; ret	4_2_004029C7
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_00407CAD pushfd ; ret	4_2_00407CAE
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_00409A2E pushfd ; ret	4_2_00409A39
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_00402B32 pushfd ; ret	4_2_00402B3F
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_00405333 pushfd ; ret	4_2_00405338
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_00402937 pushfd ; ret	4_2_00402948
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Code function: 4_2_004077BD pushfd ; ret	4_2_004077C4

Source: LPO-2024-357.exe

Static PE information: section name: .text entropy: 7.662076834159514

Source: 0.2.LPO-2024-357.exe.79a0000.4.raw.unpack, FZaOUuOPvnEAfIAr0M.cs	High entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
Source: 0.2.LPO-2024-357.exe.79a0000.4.raw.unpack, GtaAIbrHXObmMm8GPA.cs	High entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
Source: 0.2.LPO-2024-357.exe.79a0000.4.raw.unpack, kAOj1Y7pfP90kycNNw.cs	High entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, wVsEJWTDvwyX4LMlub.cs	High entropy of concatenated method names: 'Hu0gwsJyHJ', 'T5OgEF21nP', 'z1B8xBJJL5', 'JPB8kyqqTK', 'qfa8fyIp1l', 'v7K8L9ONs6', 'SPg8rGsNWt', 'YMl8KvlRBc', 'AEn8mCj6Vy', 'a6Y804RBta'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, Wd4vZerwXMtTQEU9C8.cs	High entropy of concatenated method names: 'M1EVX49Jlv', 'UhaV8vJLUb', 'fqVVZZGqEn', 'fgVZde7ZHk', 'N06ZzxH9J9', 'SHJVbwsFk9', 'oQoV4ZRZw3', 'DoCVoIe5N4', 'brpVUZsZyO', 'KlYVuRi9hK'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, GknCMqyRlympfcwDQy.cs	High entropy of concatenated method names: 'EgZJP3Ur25', 'QwhJiSeGgb', 'oGEJxKBH0L', 'mN2Jk37Dmc', 'HeBJf1cI9p', 'SMEJLB4FOX', 'llTJrajWld', 'zjaJKjB0bs', 'QMPJmVTlG5', 'cUkJ0EZZQF'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, LxLN1o4u5TU8DEkAktl.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WRo2JLGRpk', 'DJ92nwEMAs', 'elT2Al6nWk', 'zva220CYRe', 'PG42ePGiBk', 'vtr2sJW6gn', 'DZH2jaSDL2'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, dKYoAIYwHWmZ81fnaR.cs	High entropy of concatenated method names: 'i2Q8HIsGqf', 'uUM8t9e2m2', 't7g8peSW8X', 'kar8Y7b0S2', 'eQB8cO1TeS', 'rmy86F3UIc', 'UIY8Dvtrdn', 'y8e87opn7R', 'r1N8JDEbme', 'HXS8n289Ka'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, o90pySpvXwWvR2PmHy.cs	High entropy of concatenated method names: 'T0YaIlpEHO', 'uvDa3D8MeQ', 'sbgalreXVB', 'NKyahaCRZF', 'krDaW8qEYc', 'tnKaCPhO3F', 'UmnaSLFBCo', 'I5navRgBWv', 'cHLayIG0AE', 'tqCadK2GlG'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, biAo3CCadsOHCxGAKa.cs	High entropy of concatenated method names: 'wotDvG7gxU', 'NBDDds5Cn3', 'HZ47bxMq21', 'YN074XMiRr', 'K5tD1w9ZUx', 'jqAD5wkoWC', 'uieDNLIpeD', 'bx8DIbrHYO', 'y06D3M5hED', 'QoSDl9gJGn'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, z1rEmaSjKEwXLXVS0v.cs	High entropy of concatenated method names: 'KZWJcl8Bcy', 'cgBJDy05kG', 'v5UJJr2YqE', 'XIdJAVpfNk', 'nHFJemZgb1', 'tdwJj9gTuN', 'Dispose', 'qKg7XkE1nn', 'RJH7ahmxbj', 'MdJ78yXg4a'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, xqmYXJNb80rOolpRcy.cs	High entropy of concatenated method names: 'weARpwu03p', 'hpjRYYVGba', 'UINRPVDTKB', 'bVRRif38lC', 'zMORkgSg67', 'vnKRfK92yD', 'ryoRr6ueke', 'AZrRK6XsNb', 'e0UR0ZLVNt', 'lRBR1eK03o'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, hg6PuKaIUTWqyZTwof.cs	High entropy of concatenated method names: 'Dispose', 'CwX4yLXVS0', 'eV2oiQDdKH', 'Ir1GwwSFZw', 'W0G4d88UXE', 'iUE4zAWibJ', 'ProcessDialogKey', 'SxiobknCMq', 'nlyo4mpfcw', 'qQyooDqCRG'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, xwwaHFlcpyWYafS9HT.cs	High entropy of concatenated method names: 'ToString', 'Tgt61fqxZ3', 'yvg6ieR1Ce', 'Q5Z6xSybn7', 'qfw6k2dbVN', 'MPQ6fEgUGt', 'dVo6LKexu3', 'mJV6roDgcF', 'tLo6KKkFQj', 'P2O6moyRKN'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, V8qCOsz1aCYM0FFjDu.cs	High entropy of concatenated method names: 'eFqntYasEu', 'IaNnpQqxo6', 'NoNnY0kyGI', 'oQcnPbRPh2', 'Sanni3AsGC', 'rTXnkFEj2W', 'SY8nf47hDU', 'Ctonj1EPC5', 'wnpnBCYgCc', 'OfenF98SxX'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, lpGn1vhAidsBt9VDt7.cs	High entropy of concatenated method names: 'M7mDODGSPf', 'qNhDQrRXop', 'ToString', 'iARDXrLHBB', 'QMMDaof4Ic', 'xaKD8abFQ3', 'mAwDgSw5PU', 'jTUDZsm3ax', 'GUaDVeB7of', 'kuyD9UbbOW'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, nwechnIN2C1GknPJNl.cs	High entropy of concatenated method names: 'Lhgc0A8kWE', 'h7wc5WpvRf', 'RkAcIgmcVW', 'xoec3fkHj0', 'U4XciMqHy3', 'QrOcxrHvlU', 'Gbccks6eCV', 'vLGcfYj98w', 'zK5cLQBd9D', 'qojcr4nfmN'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, CNWYXAmmSQN9gn7JgY.cs	High entropy of concatenated method names: 'sCUVBWENgp', 'vsUVFt2KpS', 'pL4VqFh8ca', 'XJvVHyMZbY', 'inxVwRQPmv', 'jAsVt8kpSZ', 'rknVElleLA', 'hLVVp7u1Eg', 'mVlVYlZT6R', 'h7cVTGLafN'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, ReVixo9FXbxWPDnqBj.cs	High entropy of concatenated method names: 'VPIUMEI8O5', 'jZdUXbuuM0', 'lWZUadnnko', 'k26U84hpKV', 'X4SUgJVQF2', 'TYrUZPyoD3', 'n22UVBTcGo', 'chXU9bgLGG', 'ooOUGLZOWo', 's3BUOskoRQ'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, pqCRGrd2frqfJnxf1h.cs	High entropy of concatenated method names: 'Mfun8FZons', 'BnLngS0rl6', 'wdsnZUVZnU', 'k9anVZ4dLI', 'kZxnJSCbPY', 'XHen9pPwrW', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, SEBiQwPt6WU0SAZ8tk.cs	High entropy of concatenated method names: 'vHZZMIHZV4', 'RD2ZapVv5l', 'AwVZgr07iH', 'lD3ZVP2ki0', 'T8xZ9jhieB', 'RNrgWcnJUl', 'QSXgClNlHq', 'uhdgSiIgfm', 'RAkgvRYNJE', 'Uh6gyGT7Gs'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, QdhkEY44Qq70AvWrNDq.cs	High entropy of concatenated method names: 'TCRndJB9Sp', 'agknzAkgvL', 'J5WAbW6eKm', 'q6NA4YGbb7', 'CGiAoytNMH', 'jn4AUmaAO4', 'qEKAuIucTR', 'U1ZAMVsptw', 'k1XAXeWXKv', 'OE5AaNNbnf'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, PcQpnbuNrmP2ZDMX0M.cs	High entropy of concatenated method names: 'nKc4V90pyS', 'XXw49WvR2P', 'RwH4OWmZ81', 'Jna4QRjVsE', 'KMl4cub3EB', 'GQw46t6WU0', 'RLOwnpffredFciEmkL', 'Pr3USkD0xrZ1IgAMew', 'LhJ44DTctq', 'OMe4USIH0B'
Source: 0.2.LPO-2024-357.exe.9210000.5.raw.unpack, FnoyBCoVB4RcJxtEnm.cs	High entropy of concatenated method names: 'SmVqM8JFX', 'VRUHuJuoT', 'qSkt9VXxg', 'uwWEFSXMf', 'm6lYHDqM0', 'peuTisNGP', 'qYWNfTuSg0xwX5B1nN', 'rGboQ198E5HujDGAVH', 'HO67KoDA1', 'y64nNIUgF'
Source: 0.2.LPO-2024-357.exe.2dac680.0.raw.unpack, FZaOUuOPvnEAfIAr0M.cs	High entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
Source: 0.2.LPO-2024-357.exe.2dac680.0.raw.unpack, GtaAIbrHXObmMm8GPA.cs	High entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
Source: 0.2.LPO-2024-357.exe.2dac680.0.raw.unpack, kAOj1Y7pfP90kycNNw.cs	High entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, wVsEJWTDvwyX4LMlub.cs	High entropy of concatenated method names: 'Hu0gwsJyHJ', 'T5OgEF21nP', 'z1B8xBJJL5', 'JPB8kyqqTK', 'qfa8fyIp1l', 'v7K8L9ONs6', 'SPg8rGsNWt', 'YMl8KvlRBc', 'AEn8mCj6Vy', 'a6Y804RBta'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, Wd4vZerwXMtTQEU9C8.cs	High entropy of concatenated method names: 'M1EVX49Jlv', 'UhaV8vJLUb', 'fqVVZZGqEn', 'fgVZde7ZHk', 'N06ZzxH9J9', 'SHJVbwsFk9', 'oQoV4ZRZw3', 'DoCVoIe5N4', 'brpVUZsZyO', 'KlYVuRi9hK'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, GknCMqyRlympfcwDQy.cs	High entropy of concatenated method names: 'EgZJP3Ur25', 'QwhJiSeGgb', 'oGEJxKBH0L', 'mN2Jk37Dmc', 'HeBJf1cI9p', 'SMEJLB4FOX', 'llTJrajWld', 'zjaJKjB0bs', 'QMPJmVTlG5', 'cUkJ0EZZQF'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, LxLN1o4u5TU8DEkAktl.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WRo2JLGRpk', 'DJ92nwEMAs', 'elT2Al6nWk', 'zva220CYRe', 'PG42ePGiBk', 'vtr2sJW6gn', 'DZH2jaSDL2'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, dKYoAIYwHWmZ81fnaR.cs	High entropy of concatenated method names: 'i2Q8HIsGqf', 'uUM8t9e2m2', 't7g8peSW8X', 'kar8Y7b0S2', 'eQB8cO1TeS', 'rmy86F3UIc', 'UIY8Dvtrdn', 'y8e87opn7R', 'r1N8JDEbme', 'HXS8n289Ka'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, o90pySpvXwWvR2PmHy.cs	High entropy of concatenated method names: 'T0YaIlpEHO', 'uvDa3D8MeQ', 'sbgalreXVB', 'NKyahaCRZF', 'krDaW8qEYc', 'tnKaCPhO3F', 'UmnaSLFBCo', 'I5navRgBWv', 'cHLayIG0AE', 'tqCadK2GlG'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, biAo3CCadsOHCxGAKa.cs	High entropy of concatenated method names: 'wotDvG7gxU', 'NBDDds5Cn3', 'HZ47bxMq21', 'YN074XMiRr', 'K5tD1w9ZUx', 'jqAD5wkoWC', 'uieDNLIpeD', 'bx8DIbrHYO', 'y06D3M5hED', 'QoSDl9gJGn'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, z1rEmaSjKEwXLXVS0v.cs	High entropy of concatenated method names: 'KZWJcl8Bcy', 'cgBJDy05kG', 'v5UJJr2YqE', 'XIdJAVpfNk', 'nHFJemZgb1', 'tdwJj9gTuN', 'Dispose', 'qKg7XkE1nn', 'RJH7ahmxbj', 'MdJ78yXg4a'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, xqmYXJNb80rOolpRcy.cs	High entropy of concatenated method names: 'weARpwu03p', 'hpjRYYVGba', 'UINRPVDTKB', 'bVRRif38lC', 'zMORkgSg67', 'vnKRfK92yD', 'ryoRr6ueke', 'AZrRK6XsNb', 'e0UR0ZLVNt', 'lRBR1eK03o'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, hg6PuKaIUTWqyZTwof.cs	High entropy of concatenated method names: 'Dispose', 'CwX4yLXVS0', 'eV2oiQDdKH', 'Ir1GwwSFZw', 'W0G4d88UXE', 'iUE4zAWibJ', 'ProcessDialogKey', 'SxiobknCMq', 'nlyo4mpfcw', 'qQyooDqCRG'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, xwwaHFlcpyWYafS9HT.cs	High entropy of concatenated method names: 'ToString', 'Tgt61fqxZ3', 'yvg6ieR1Ce', 'Q5Z6xSybn7', 'qfw6k2dbVN', 'MPQ6fEgUGt', 'dVo6LKexu3', 'mJV6roDgcF', 'tLo6KKkFQj', 'P2O6moyRKN'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, V8qCOsz1aCYM0FFjDu.cs	High entropy of concatenated method names: 'eFqntYasEu', 'IaNnpQqxo6', 'NoNnY0kyGI', 'oQcnPbRPh2', 'Sanni3AsGC', 'rTXnkFEj2W', 'SY8nf47hDU', 'Ctonj1EPC5', 'wnpnBCYgCc', 'OfenF98SxX'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, lpGn1vhAidsBt9VDt7.cs	High entropy of concatenated method names: 'M7mDODGSPf', 'qNhDQrRXop', 'ToString', 'iARDXrLHBB', 'QMMDaof4Ic', 'xaKD8abFQ3', 'mAwDgSw5PU', 'jTUDZsm3ax', 'GUaDVeB7of', 'kuyD9UbbOW'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, nwechnIN2C1GknPJNl.cs	High entropy of concatenated method names: 'Lhgc0A8kWE', 'h7wc5WpvRf', 'RkAcIgmcVW', 'xoec3fkHj0', 'U4XciMqHy3', 'QrOcxrHvlU', 'Gbccks6eCV', 'vLGcfYj98w', 'zK5cLQBd9D', 'qojcr4nfmN'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, CNWYXAmmSQN9gn7JgY.cs	High entropy of concatenated method names: 'sCUVBWENgp', 'vsUVFt2KpS', 'pL4VqFh8ca', 'XJvVHyMZbY', 'inxVwRQPmv', 'jAsVt8kpSZ', 'rknVElleLA', 'hLVVp7u1Eg', 'mVlVYlZT6R', 'h7cVTGLafN'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, ReVixo9FXbxWPDnqBj.cs	High entropy of concatenated method names: 'VPIUMEI8O5', 'jZdUXbuuM0', 'lWZUadnnko', 'k26U84hpKV', 'X4SUgJVQF2', 'TYrUZPyoD3', 'n22UVBTcGo', 'chXU9bgLGG', 'ooOUGLZOWo', 's3BUOskoRQ'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, pqCRGrd2frqfJnxf1h.cs	High entropy of concatenated method names: 'Mfun8FZons', 'BnLngS0rl6', 'wdsnZUVZnU', 'k9anVZ4dLI', 'kZxnJSCbPY', 'XHen9pPwrW', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, SEBiQwPt6WU0SAZ8tk.cs	High entropy of concatenated method names: 'vHZZMIHZV4', 'RD2ZapVv5l', 'AwVZgr07iH', 'lD3ZVP2ki0', 'T8xZ9jhieB', 'RNrgWcnJUl', 'QSXgClNlHq', 'uhdgSiIgfm', 'RAkgvRYNJE', 'Uh6gyGT7Gs'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, QdhkEY44Qq70AvWrNDq.cs	High entropy of concatenated method names: 'TCRndJB9Sp', 'agknzAkgvL', 'J5WAbW6eKm', 'q6NA4YGbb7', 'CGiAoytNMH', 'jn4AUmaAO4', 'qEKAuIucTR', 'U1ZAMVsptw', 'k1XAXeWXKv', 'OE5AaNNbnf'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, PcQpnbuNrmP2ZDMX0M.cs	High entropy of concatenated method names: 'nKc4V90pyS', 'XXw49WvR2P', 'RwH4OWmZ81', 'Jna4QRjVsE', 'KMl4cub3EB', 'GQw46t6WU0', 'RLOwnpffredFciEmkL', 'Pr3USkD0xrZ1IgAMew', 'LhJ44DTctq', 'OMe4USIH0B'
Source: 0.2.LPO-2024-357.exe.3d77298.3.raw.unpack, FnoyBCoVB4RcJxtEnm.cs	High entropy of concatenated method names: 'SmVqM8JFX', 'VRUHuJuoT', 'qSkt9VXxg', 'uwWEFSXMf', 'm6lYHDqM0', 'peuTisNGP', 'qYWNfTuSg0xwX5B1nN', 'rGboQ198E5HujDGAVH', 'HO67KoDA1', 'y64nNIUgF'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: LPO-2024-357.exe PID: 6516, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\LPO-2024-357.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\LPO-2024-357.exe	Memory allocated: 1010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Memory allocated: 2B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Memory allocated: 4B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Memory allocated: 9380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Memory allocated: A380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Memory allocated: A5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Memory allocated: B5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Memory allocated: D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Memory allocated: 2820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Memory allocated: 26B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 239883	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 239781	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 239652	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 239546	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 239437	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 239322	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 239218	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 239109	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 238997	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 238890	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 238781	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 238671	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 238442	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 238219	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 238046	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 237850	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 237691	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 237558	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 237452	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\LPO-2024-357.exe	Window / User API: threadDelayed 1523	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Window / User API: threadDelayed 1703	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7421	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1728	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Window / User API: threadDelayed 3397	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Window / User API: threadDelayed 6380	Jump to behavior

Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -239883s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -239781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -239652s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -239546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -239437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -239322s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -239218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -239109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -238997s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -238890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -238781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -238671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -238442s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -238219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -238046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -237850s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -237691s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -237558s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6688	Thread sleep time: -237452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6616	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5936	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2756	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6640	Thread sleep count: 3397 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -99872s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 6640	Thread sleep count: 6380 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -99421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -99313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -98887s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -98780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -98297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -98187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -98078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -97969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -97859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -97750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -97641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -97531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -97422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -97312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -97203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -97094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -96984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -96875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -96766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -96656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -96547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -96438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -96313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -96188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -96063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -95920s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -95809s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -95701s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -95578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -95466s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -95360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -95235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -95110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -94985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -94860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -94735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -94610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -94485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -94360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -94235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -94110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -93985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -93860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe TID: 5764	Thread sleep time: -93735s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\LPO-2024-357.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\LPO-2024-357.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\LPO-2024-357.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 239883	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 239781	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 239652	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 239546	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 239437	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 239322	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 239218	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 239109	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 238997	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 238890	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 238781	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 238671	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 238442	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 238219	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 238046	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 237850	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 237691	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 237558	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 237452	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 99872	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 99421	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 98887	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 98780	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 98297	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 98187	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 98078	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 97969	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 97859	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 97750	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 97641	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 97531	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 97422	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 97312	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 97203	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 97094	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 96984	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 96875	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 96766	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 96656	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 96547	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 96438	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 96313	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 96188	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 96063	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 95920	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 95809	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 95701	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 95578	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 95466	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 95360	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 95235	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 95110	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 94985	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 94860	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 94735	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 94610	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 94485	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 94360	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 94235	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 94110	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 93985	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 93860	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Thread delayed: delay time: 93735	Jump to behavior

Source: LPO-2024-357.exe, 00000000.00000002.1684821524.0000000000E19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: LPO-2024-357.exe, 00000004.00000002.2922620777.0000000000C21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|
Source: LPO-2024-357.exe, 00000000.00000002.1690208458.0000000002B4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: QEmu@\dq
Source: LPO-2024-357.exe, 00000000.00000002.1694260808.0000000003B42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lQEmu

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\LPO-2024-357.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LPO-2024-357.exe"
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LPO-2024-357.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\LPO-2024-357.exe

Memory written: C:\Users\user\Desktop\LPO-2024-357.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LPO-2024-357.exe"			Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Process created: C:\Users\user\Desktop\LPO-2024-357.exe "C:\Users\user\Desktop\LPO-2024-357.exe"			Jump to behavior

Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Users\user\Desktop\LPO-2024-357.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Users\user\Desktop\LPO-2024-357.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\LPO-2024-357.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.LPO-2024-357.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LPO-2024-357.exe.3d33098.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LPO-2024-357.exe.3d33098.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LPO-2024-357.exe.3d0a078.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2921447380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1694260808.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2923605654.000000000287A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2923605654.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LPO-2024-357.exe PID: 4348, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.LPO-2024-357.exe.79a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LPO-2024-357.exe.2dac680.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LPO-2024-357.exe.79a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LPO-2024-357.exe.2dac680.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1700975172.00000000079A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1694260808.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1690208458.0000000002B4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\LPO-2024-357.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\LPO-2024-357.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\LPO-2024-357.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\LPO-2024-357.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\LPO-2024-357.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000004.00000002.2923605654.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LPO-2024-357.exe PID: 4348, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.LPO-2024-357.exe.3d0a078.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.LPO-2024-357.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LPO-2024-357.exe.3d33098.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LPO-2024-357.exe.3d33098.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LPO-2024-357.exe.3d0a078.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2921447380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1694260808.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2923605654.000000000287A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2923605654.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LPO-2024-357.exe PID: 4348, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.LPO-2024-357.exe.79a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LPO-2024-357.exe.2dac680.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LPO-2024-357.exe.79a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LPO-2024-357.exe.2dac680.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1700975172.00000000079A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1694260808.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1690208458.0000000002B4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LPO-2024-357.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.Remcos
LPO-2024-357.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.mbarieservicesltd.com	199.79.62.115	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.tiro.com	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.carterandcone.coml	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	LPO-2024-357.exe, 00000000.00000002.1690208458.0000000002B01000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	LPO-2024-357.exe, 00000000.00000002.1699319889.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mail.mbarieservicesltd.com	LPO-2024-357.exe, 00000004.00000002.2923605654.000000000287A000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.79.62.115	mail.mbarieservicesltd.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1565672
Start date and time:	2024-11-30 14:17:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LPO-2024-357.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/6@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 47 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: LPO-2024-357.exe

Simulations

Behavior and APIs

Time	Type	Description
08:17:54	API Interceptor	77x Sleep call for process: LPO-2024-357.exe modified
08:17:57	API Interceptor	14x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
199.79.62.115	Quote5000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	Quote1000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	Quote 40240333-REV2.exe	Get hash	malicious	AgentTesla	Browse
	PO ALJAT-5804-2024.exe	Get hash	malicious	AgentTesla	Browse
	INQ#84790.exe	Get hash	malicious	AgentTesla	Browse
	LPO24.0524.exe	Get hash	malicious	AgentTesla	Browse
	1364. 2024.exe	Get hash	malicious	AgentTesla	Browse
	Quote_220072.exe	Get hash	malicious	AgentTesla	Browse
	TT Copy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	24-17745.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.mbarieservicesltd.com	Quote5000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	Quote1000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	Quote 40240333-REV2.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	PO ALJAT-5804-2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	INQ#84790.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	LPO24.0524.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	1364. 2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	Quote_220072.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	RFQ.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	162.251.80.30
	Quote5000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	Quote1000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	shipping doc -GY298035826.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	162.251.80.30
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	Pigroots.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	199.79.63.24
	Shave.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	199.79.63.24
	https://www.google.com.bn/url?snf=vpsBrmjsMjZT0YKBELze&nuu=B4grUxP5T5pV5xJiiFp0&sa=t&ndg=e2p4qPDSQqlwr77oflqr&pdbr=npO0StsDFHvGF7jwYfWY&np=slEjuRPdabbflvaXgHau&cb=IhzFYfcuqq5m2vva4DTH&url=amp%2Fbeutopiantech.com%2Fchd%2FroghgehdjtiE-SURECHDDam9lbC5kZW5vZnJpb0BoYW5lc2NvbXBhbmllcy5jb20=	Get hash	malicious	Unknown	Browse	103.211.216.144
	Quote 40240333-REV2.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	DOCS.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249

Process:	C:\Users\user\Desktop\LPO-2024-357.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
MD5:	97AD91F1C1F572C945DA12233082171D
SHA1:	D5E33DDAB37E32E416FC40419FB26B3C0563519D
SHA-256:	3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
SHA-512:	8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZWUyus:lGLHyIFKL3IZ2KRH9Ougws
MD5:	3E0907D635C949F64B277F168B031CA0
SHA1:	6ACE55DEFBB979521973A6C12F757FB625E07F43
SHA-256:	CDA30176C42A540618AE4D4FDB9576EA2319843D9D2ED19DF04EEA27E727A0E9
SHA-512:	5364F45AF3BCEAB75C1E991B58904594B48ED39393E2F5BA6F4DF9E4951BFC5C16686CD20E636B403BDF9F131EDC0D97B50CD2E2BFB3F0538316611AD42033AA
Malicious:	false
Reputation:	low
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3do5jaz2.mem.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfxmo5er.034.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_grdgjhle.kg0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svawvg5q.wbm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.654021735538355
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	LPO-2024-357.exe
File size:	709'120 bytes
MD5:	b15e3e1eb0abfb4967c65bf33665fcbb
SHA1:	fcd702629c1e38b7d08df3628920c22d4dab9a40
SHA256:	137e0a944efefef514d0595cdfade088a59eb12404a1469e76cd024ebdb2d1f1
SHA512:	b4bbcda8556f487ec07b4c95cfb9a0627418107a62d70cdbdb293048e3483441f4a45cf36bdbfcf44a9cfe7f348a53a39f8f668fd8ee98aac81cf32be593d820
SSDEEP:	12288:sF2iNCTsv+SGjpA3yKUUo6aZ9p71raSBSf3t5Nppl1MakspSrZhA/9JQZsGoIU/:G1M1xjj9p7F8HjB0NhA/9WsGS
TLSH:	68E4F11032AAEA06D5D60BB80972D2B45779AE8E6511C30F5FE67EFF3C3AB052544363
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*.s...............0.................. ........@.. .......................@............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4ae6d2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD373E82A [Tue Jun 2 01:17:30 2082 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xae67f	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0x5d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xaccfc	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xac6d8	0xac800	077eeccd98f561ab17121bfddc9d2000	False	0.8713711503623188	data	7.662076834159514	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0x5d4	0x600	f2c6006ddde40101dc36f1edb6adca50	False	0.4231770833333333	data	4.140235585798007	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb2000	0xc	0x200	031ab9b1a00650631bf1ef1ca12551dd	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb0090	0x344	data			0.41985645933014354
RT_MANIFEST	0xb03e4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-30T14:18:05.436393+0100	2855245	ETPRO MALWARE Agent Tesla Exfil via SMTP	1	192.168.2.4	49734	199.79.62.115	587	TCP
2024-11-30T14:18:05.436393+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49734	199.79.62.115	587	TCP
2024-11-30T14:19:39.797227+0100	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49734	199.79.62.115	587	TCP
2024-11-30T14:19:39.797227+0100	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.4	49734	199.79.62.115	587	TCP
2024-11-30T14:19:39.797227+0100	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49734	199.79.62.115	587	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2024 14:18:01.642905951 CET	49734	587	192.168.2.4	199.79.62.115
Nov 30, 2024 14:18:01.763135910 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:18:01.763195038 CET	49734	587	192.168.2.4	199.79.62.115
Nov 30, 2024 14:18:02.997622013 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:18:02.998665094 CET	49734	587	192.168.2.4	199.79.62.115
Nov 30, 2024 14:18:03.118732929 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:18:03.384172916 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:18:03.429018974 CET	49734	587	192.168.2.4	199.79.62.115
Nov 30, 2024 14:18:03.436634064 CET	49734	587	192.168.2.4	199.79.62.115
Nov 30, 2024 14:18:03.556525946 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:18:03.822097063 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:18:03.822349072 CET	49734	587	192.168.2.4	199.79.62.115
Nov 30, 2024 14:18:03.942317009 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:18:04.266436100 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:18:04.266685963 CET	49734	587	192.168.2.4	199.79.62.115
Nov 30, 2024 14:18:04.386991024 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:18:04.652282953 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:18:04.653711081 CET	49734	587	192.168.2.4	199.79.62.115
Nov 30, 2024 14:18:04.773758888 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:18:05.046787024 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:18:05.049743891 CET	49734	587	192.168.2.4	199.79.62.115
Nov 30, 2024 14:18:05.169764042 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:18:05.435178041 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:18:05.436295033 CET	49734	587	192.168.2.4	199.79.62.115
Nov 30, 2024 14:18:05.436393023 CET	49734	587	192.168.2.4	199.79.62.115
Nov 30, 2024 14:18:05.436412096 CET	49734	587	192.168.2.4	199.79.62.115
Nov 30, 2024 14:18:05.436424017 CET	49734	587	192.168.2.4	199.79.62.115
Nov 30, 2024 14:18:05.556499004 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:18:05.556509972 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:18:05.556548119 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:18:05.556601048 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:18:05.928853989 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:18:05.976025105 CET	49734	587	192.168.2.4	199.79.62.115
Nov 30, 2024 14:19:39.210843086 CET	49734	587	192.168.2.4	199.79.62.115
Nov 30, 2024 14:19:39.331716061 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:19:39.797054052 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:19:39.797226906 CET	49734	587	192.168.2.4	199.79.62.115
Nov 30, 2024 14:19:39.797260046 CET	587	49734	199.79.62.115	192.168.2.4
Nov 30, 2024 14:19:39.797306061 CET	49734	587	192.168.2.4	199.79.62.115
Nov 30, 2024 14:19:39.917244911 CET	587	49734	199.79.62.115	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2024 14:17:59.195509911 CET	59207	53	192.168.2.4	1.1.1.1
Nov 30, 2024 14:18:00.196083069 CET	59207	53	192.168.2.4	1.1.1.1
Nov 30, 2024 14:18:01.210433960 CET	59207	53	192.168.2.4	1.1.1.1
Nov 30, 2024 14:18:01.636464119 CET	53	59207	1.1.1.1	192.168.2.4
Nov 30, 2024 14:18:01.639902115 CET	53	59207	1.1.1.1	192.168.2.4
Nov 30, 2024 14:18:01.640259981 CET	53	59207	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 30, 2024 14:17:59.195509911 CET	192.168.2.4	1.1.1.1	0xa242	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 14:18:00.196083069 CET	192.168.2.4	1.1.1.1	0xa242	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 14:18:01.210433960 CET	192.168.2.4	1.1.1.1	0xa242	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 30, 2024 14:18:01.636464119 CET	1.1.1.1	192.168.2.4	0xa242	No error (0)	mail.mbarieservicesltd.com	199.79.62.115	A (IP address)	IN (0x0001)	false
Nov 30, 2024 14:18:01.639902115 CET	1.1.1.1	192.168.2.4	0xa242	No error (0)	mail.mbarieservicesltd.com	199.79.62.115	A (IP address)	IN (0x0001)	false
Nov 30, 2024 14:18:01.640259981 CET	1.1.1.1	192.168.2.4	0xa242	No error (0)	mail.mbarieservicesltd.com	199.79.62.115	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 30, 2024 14:18:02.997622013 CET	587	49734	199.79.62.115	192.168.2.4	220-md-54.webhostbox.net ESMTP Exim 4.96.2 #2 Sat, 30 Nov 2024 18:48:02 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 30, 2024 14:18:02.998665094 CET	49734	587	192.168.2.4	199.79.62.115	EHLO 675052
Nov 30, 2024 14:18:03.384172916 CET	587	49734	199.79.62.115	192.168.2.4	250-md-54.webhostbox.net Hello 675052 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 30, 2024 14:18:03.436634064 CET	49734	587	192.168.2.4	199.79.62.115	AUTH login c2FsZXNzQG1iYXJpZXNlcnZpY2VzbHRkLmNvbQ==
Nov 30, 2024 14:18:03.822097063 CET	587	49734	199.79.62.115	192.168.2.4	334 UGFzc3dvcmQ6
Nov 30, 2024 14:18:04.266436100 CET	587	49734	199.79.62.115	192.168.2.4	235 Authentication succeeded
Nov 30, 2024 14:18:04.266685963 CET	49734	587	192.168.2.4	199.79.62.115	MAIL FROM:<saless@mbarieservicesltd.com>
Nov 30, 2024 14:18:04.652282953 CET	587	49734	199.79.62.115	192.168.2.4	250 OK
Nov 30, 2024 14:18:04.653711081 CET	49734	587	192.168.2.4	199.79.62.115	RCPT TO:<iinfo@mbarieservicesltd.com>
Nov 30, 2024 14:18:05.046787024 CET	587	49734	199.79.62.115	192.168.2.4	250 Accepted
Nov 30, 2024 14:18:05.049743891 CET	49734	587	192.168.2.4	199.79.62.115	DATA
Nov 30, 2024 14:18:05.435178041 CET	587	49734	199.79.62.115	192.168.2.4	354 Enter message, ending with "." on a line by itself
Nov 30, 2024 14:18:05.436424017 CET	49734	587	192.168.2.4	199.79.62.115	.
Nov 30, 2024 14:18:05.928853989 CET	587	49734	199.79.62.115	192.168.2.4	250 OK id=1tHNML-004NDf-0k
Nov 30, 2024 14:19:39.210843086 CET	49734	587	192.168.2.4	199.79.62.115	QUIT
Nov 30, 2024 14:19:39.797054052 CET	587	49734	199.79.62.115	192.168.2.4	221 md-54.webhostbox.net closing connection

Target ID:	0
Start time:	08:17:53
Start date:	30/11/2024
Path:	C:\Users\user\Desktop\LPO-2024-357.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LPO-2024-357.exe"
Imagebase:	0x740000
File size:	709'120 bytes
MD5 hash:	B15E3E1EB0ABFB4967C65BF33665FCBB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1700975172.00000000079A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1694260808.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1694260808.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1690208458.0000000002B4F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:17:56
Start date:	30/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LPO-2024-357.exe"
Imagebase:	0x470000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:17:56
Start date:	30/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:17:56
Start date:	30/11/2024
Path:	C:\Users\user\Desktop\LPO-2024-357.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LPO-2024-357.exe"
Imagebase:	0x400000
File size:	709'120 bytes
MD5 hash:	B15E3E1EB0ABFB4967C65BF33665FCBB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2923605654.000000000287A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.2921447380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2923605654.0000000002821000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2923605654.0000000002821000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	08:17:58
Start date:	30/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.5%
Total number of Nodes:	405
Total number of Limit Nodes:	27

Executed Functions

Function 07B0C818 Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL(?,?), ref: 07B0C885

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: df7bda9c6c1c838814b1af116dce63e547c67b1afd00a6d130c304d2ddca1296
Instruction ID: 5badcd951bf651248b0fdf051b9419ac99357fe510040989ed69f6d4f94f94f5
Opcode Fuzzy Hash: df7bda9c6c1c838814b1af116dce63e547c67b1afd00a6d130c304d2ddca1296
Instruction Fuzzy Hash: 6C1137B19003098FDB24DFAAC445AEEFFF5EF98324F24886AD419A7250CB755544CBA4

Function 07B0C820 Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL(?,?), ref: 07B0C885

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: d3774b581ee05d3125f2d58f34b6e02943f4eb4e20f18bb29e62c0e1661a0e78
Instruction ID: 45e78b66f2a49e8a12560154de0553a737d80c25705024a7fb059e566a395a3f
Opcode Fuzzy Hash: d3774b581ee05d3125f2d58f34b6e02943f4eb4e20f18bb29e62c0e1661a0e78
Instruction Fuzzy Hash: 6A1149B1D003098BDB20DFAAC445BEEFFF5EB88324F248419D419A7240CB756544CBA4

Function 076421F0 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700837785.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9871f0214fc1f53e1701ea238c1a16896584b79e93ca99f7e3218dcb99b8f7b9
Instruction ID: ce22af2df61838acb46fa6d9b89908dcf7766ba00cade3f76627e9f1282c1b57
Opcode Fuzzy Hash: 9871f0214fc1f53e1701ea238c1a16896584b79e93ca99f7e3218dcb99b8f7b9
Instruction Fuzzy Hash: 95A23975E006598FCB15DF68C8586EDB7B2FF89300F1482A9D80AA7354EB74AE85CF50

Function 07B02718 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14acab466f51a6c45b49b88348ffac54785564647ddb75957b349d66ab8c5343
Instruction ID: 4c8f086287da78f47be24c9541d09e6c1afeb0b0b32767e8e77bcd32a330c8a9
Opcode Fuzzy Hash: 14acab466f51a6c45b49b88348ffac54785564647ddb75957b349d66ab8c5343
Instruction Fuzzy Hash: C2A1B7B4D15218CFEB24CFA6C8487EDBBB6BF89310F1091A9D509A7291DB345949CF81

Function 07B0270B Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f235a19a6fb60429456d940bc5735de6f5170444c28019cbb3526caf0147ecf8
Instruction ID: da2cf6240c83a103cf56174ce1ae4d6abf269cacb52754b877dd3169178f596c
Opcode Fuzzy Hash: f235a19a6fb60429456d940bc5735de6f5170444c28019cbb3526caf0147ecf8
Instruction Fuzzy Hash: 2AA1C8B4D15218CFEB14CFA9D8487EDBBF6BF89310F1090A9D409A7291DB345989CF81

Function 09110EB4 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701631240.0000000009110000.00000040.00000800.00020000.00000000.sdmp, Offset: 09110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9110000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b2e8a554b6766055703a62e807ee070c3259a76352bd6395b719052b11d7e3
Instruction ID: b0f13e64a352705f903c4512c31ab8cdb5dba01cbbf61cba2a3fc0326155ea20
Opcode Fuzzy Hash: 43b2e8a554b6766055703a62e807ee070c3259a76352bd6395b719052b11d7e3
Instruction Fuzzy Hash: 30813774E00219EFCF19DFA9C8846EEBBF2FF89314F14842AE415A7294DB349946CB54

Function 07B02D16 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de64d6cd7784c3bfdd72e9b36deff528254662b936e0d406db10f5d88a96c979
Instruction ID: ba73e15aa77b501e546b451cec0970df455de8caff6076ab10592f5322a32f2b
Opcode Fuzzy Hash: de64d6cd7784c3bfdd72e9b36deff528254662b936e0d406db10f5d88a96c979
Instruction Fuzzy Hash: 7E81C2B4D09218CFEB14CFA9C5886EDBFF5BF4A300F249199D409A7296D7349989CF90

Function 07B02C33 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ad8e300ea129a1d5342bfec75392b2e77f2bb9f0f3ba2a36e7e3e5ab0bf4a8
Instruction ID: debfa7fe48a953a5cb832095351655f8640c388dab1cae08d72de80d95efc1a8
Opcode Fuzzy Hash: 44ad8e300ea129a1d5342bfec75392b2e77f2bb9f0f3ba2a36e7e3e5ab0bf4a8
Instruction Fuzzy Hash: AB3192B1D046188BEB18CFABD94469EFFF2BF89300F14C16AD408A7255EB3455468F50

Function 07B02C40 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de11632af3cbbefd86029dfcb34c75fe3d4bb63d9e2afbb66a3ce0c7600f5bc
Instruction ID: a90086c7efcc8f1336acc8b066b12d541b1744ce76f768ced6bd4d2d8805b468
Opcode Fuzzy Hash: 1de11632af3cbbefd86029dfcb34c75fe3d4bb63d9e2afbb66a3ce0c7600f5bc
Instruction Fuzzy Hash: 8C317FB1E046188BEB18CFABD94469EFEF7BFC8300F14D16AD818AB255EB3455468F50

Function 0103D41A Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0103D49E
GetCurrentThread.KERNEL32 ref: 0103D4DB
GetCurrentProcess.KERNEL32 ref: 0103D518
GetCurrentThreadId.KERNEL32 ref: 0103D571

Memory Dump Source

Source File: 00000000.00000002.1689196852.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1030000_LPO-2024-357.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 189a06c6aaf76bedad14e59da475e84c24bc9479e94cf48630e998b128371456
Instruction ID: 65bfb2ccac5373f80607cdc0fb46d67466d472d47bce36426663ab994e6aacee
Opcode Fuzzy Hash: 189a06c6aaf76bedad14e59da475e84c24bc9479e94cf48630e998b128371456
Instruction Fuzzy Hash: 005155B09002498FDB58CFA9D548BDEBBF5EF88318F24C459E449A72A0DB34A944CF65

Function 0103D420 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0103D49E
GetCurrentThread.KERNEL32 ref: 0103D4DB
GetCurrentProcess.KERNEL32 ref: 0103D518
GetCurrentThreadId.KERNEL32 ref: 0103D571

Memory Dump Source

Source File: 00000000.00000002.1689196852.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1030000_LPO-2024-357.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f1f8b93bc807b737a646b8e242e1e7a14aefb7b51c57f60d051060d3ec95d44a
Instruction ID: 39df29203fd96d4b70eba5ccd5b78cc07d7519dae4488bffc6dbc828cad51f96
Opcode Fuzzy Hash: f1f8b93bc807b737a646b8e242e1e7a14aefb7b51c57f60d051060d3ec95d44a
Instruction Fuzzy Hash: B75167B09002498FDB18CFA9D548B9EBBF5EF88318F208459E449A7290DB34A944CF65

Function 07648248 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07648235,?,?), ref: 076482E7

Strings

p, xrefs: 07648248

Memory Dump Source

Source File: 00000000.00000002.1700837785.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_LPO-2024-357.jbxd

Similarity

API ID: DrawText
String ID: p
API String ID: 2175133113-2181537457
Opcode ID: 041d5e9c0193e060bb613326cc4f4f841babd1f3a665279094d2d9ff1b4efdc5
Instruction ID: 73a88c5d7c5cd2283832c7c8a56a49da56a0952db0ebeb867246a827168501fe
Opcode Fuzzy Hash: 041d5e9c0193e060bb613326cc4f4f841babd1f3a665279094d2d9ff1b4efdc5
Instruction Fuzzy Hash: CE31E3B5D0020A9FDB10CFA9D984ADEFBF5BF48314F24842AE419A7310D774A544CFA4

Function 07B0CCCC Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07B0CF0E

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 658d697d524d65785c0f18e916203088fdb67b4e9d0a0da5c4b9e833a15f8646
Instruction ID: c826308634ca3018a646eaf9f8bf74de8963ba1a6d318714f8bfcfe157f55c76
Opcode Fuzzy Hash: 658d697d524d65785c0f18e916203088fdb67b4e9d0a0da5c4b9e833a15f8646
Instruction Fuzzy Hash: 4BA11AB1D0021ACFEB10DF68C9417DDBFB2FB48314F1486A9E809A7290DB759985CB92

Function 07B0CCD8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07B0CF0E

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f701cb923dbe69d0342ec32d7849a765a609c8ea24261966b0f794d6a91b5ad1
Instruction ID: 7247af33ddfbb2c164e7ac4324d17157e94e61bc1621ba8c462e7620ffed9f9e
Opcode Fuzzy Hash: f701cb923dbe69d0342ec32d7849a765a609c8ea24261966b0f794d6a91b5ad1
Instruction Fuzzy Hash: 4F912CB1D0021ACFEB14DF68C9417DDBFB2FB44314F1486A9E809A7290DB759985CF92

Function 0103B1A8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0103B3FE

Memory Dump Source

Source File: 00000000.00000002.1689196852.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1030000_LPO-2024-357.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e316a1aa1189e3ff51df69c797363826a793b67f251a4ed549bd93ad3ea84cd6
Instruction ID: 7b1e68f6ff4ad82f27589f50f3f3bb388f8c559c8b7a18c6692c716f1000d8c6
Opcode Fuzzy Hash: e316a1aa1189e3ff51df69c797363826a793b67f251a4ed549bd93ad3ea84cd6
Instruction Fuzzy Hash: 247167B0A00B058FD764DF2AD44179ABBF9FF88308F008A6DD48AD7A50DB35E945CB90

Function 0103590C Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 010359C9

Memory Dump Source

Source File: 00000000.00000002.1689196852.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1030000_LPO-2024-357.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d5196e6efdbc9239e8d33931dd032450a02f50307424bb8f02b4e28376a588fb
Instruction ID: 9ad2ad07475072eb36b230dc120e32142baa62184fc65e2d51c870f41bd53ff8
Opcode Fuzzy Hash: d5196e6efdbc9239e8d33931dd032450a02f50307424bb8f02b4e28376a588fb
Instruction Fuzzy Hash: A741D2B1C10719CADB24DFAAC984B8EBBF9FF89304F20815AD448AB251DB756946CF50

Function 010344C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 010359C9

Memory Dump Source

Source File: 00000000.00000002.1689196852.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1030000_LPO-2024-357.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0b6c362663ccfa2b4c9d80ffe60fa077c2d03bde4f0b9fe44c5bb1f2ffe68660
Instruction ID: 137f3c4f71c4e52672404cf4011d3f95b0c7a78241937487fd488e6501e14367
Opcode Fuzzy Hash: 0b6c362663ccfa2b4c9d80ffe60fa077c2d03bde4f0b9fe44c5bb1f2ffe68660
Instruction Fuzzy Hash: BE41A2B0C1071DDADB24DFA9C984B9EBBF9FF89304F20805AD448AB251DB756945CF90

Function 07647D0C Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07648235,?,?), ref: 076482E7

Memory Dump Source

Source File: 00000000.00000002.1700837785.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_LPO-2024-357.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 91f2e33dab86da600a2d6073d1b3f275f3cff9e0080ee620edead4088c815399
Instruction ID: 0c7bc87ee40c14adeaf8490b2d92f87c6aa77460ad8beb7ee651265a33a4059c
Opcode Fuzzy Hash: 91f2e33dab86da600a2d6073d1b3f275f3cff9e0080ee620edead4088c815399
Instruction Fuzzy Hash: 0F31E2B5D0030A9FCB10CF9AD884A9EBBF5FF48320F14842AE919A7310D774A940CFA4

Function 07B0C648 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07B0C6E0

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ac388a6b8f8d6119172b0d789c76d03f9f7f3696885b5eba4b249d82a3681813
Instruction ID: 12ed9a24584de572e1a322e1f8550cfadcfb0d9899b8b05cb91b00f77a0ffb3f
Opcode Fuzzy Hash: ac388a6b8f8d6119172b0d789c76d03f9f7f3696885b5eba4b249d82a3681813
Instruction Fuzzy Hash: 532106B590030A9FDB10CFA9C885BDEBFF5FF48310F10852AE519A7240C7799555DBA4

Function 07B0C650 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07B0C6E0

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8a91e30d9c082baf6eeae9cc52e48ccf9d226d11fe93d7950ea7f712661fa8f5
Instruction ID: 1fd693f9f3d7cf7dcb6b23809dce20fd96945c11319e10e56fcff5747360daec
Opcode Fuzzy Hash: 8a91e30d9c082baf6eeae9cc52e48ccf9d226d11fe93d7950ea7f712661fa8f5
Instruction Fuzzy Hash: FA2127B59003099FDB10CFA9C881BDEBFF5FF48310F10842AE919A7240C7789940DBA4

Function 07B0C739 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07B0C7C0

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d2996b00cfd12d4974014a72c24a84315cdba825d5402df0b43f56aa73854ac0
Instruction ID: d13697d807b0f4b666b3b1ea6878a757c8bcb6f5c0c90f8134064e0001d50757
Opcode Fuzzy Hash: d2996b00cfd12d4974014a72c24a84315cdba825d5402df0b43f56aa73854ac0
Instruction Fuzzy Hash: FF2105B2D0035A9FDB10CFA9C985ADEFBF5FF48310F10892AE518A7240C7789544DBA5

Function 07B0C079 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B0C0FE

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8f433a12627053efce780091139ac0b851ba6033f969c2f6a067b2d639c823f6
Instruction ID: e88bc927878fe3f139410f502ae75069da5d68127a5cfa872607fccdd95eb382
Opcode Fuzzy Hash: 8f433a12627053efce780091139ac0b851ba6033f969c2f6a067b2d639c823f6
Instruction Fuzzy Hash: 7A21F5B19002099FDB10CFAAC485BEEBFF5EF98324F14852AD459A7241CB789945CFA1

Function 07B0C740 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07B0C7C0

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b8ae5937f5db2b028b46efa2f0cd6f0314c9da4eee1fc32765b7a84723dc2abf
Instruction ID: 806cfc529ed1b3f610b53f073bafb1f80181042226f9822b63ed2e07c54f0d6c
Opcode Fuzzy Hash: b8ae5937f5db2b028b46efa2f0cd6f0314c9da4eee1fc32765b7a84723dc2abf
Instruction Fuzzy Hash: 8E2128B1D003499FDB10CFAAC885ADEFBF5FF48320F10842AE518A7240C7789500DBA5

Function 07B0C080 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B0C0FE

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9190f24d8841b8ccf5febe74640d6db1c52cdd2a162869c11336f428b15973a1
Instruction ID: d8239bd3a831a3b1a76dd54499e13fac0dc4157327ae74b98e0dc5d1b58c3afe
Opcode Fuzzy Hash: 9190f24d8841b8ccf5febe74640d6db1c52cdd2a162869c11336f428b15973a1
Instruction Fuzzy Hash: 4D2107B19003099FDB10DFAAC4857EEBFF4EF48324F14842AD519A7240DB789945CBA5

Function 0103D661 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0103D6EF

Memory Dump Source

Source File: 00000000.00000002.1689196852.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1030000_LPO-2024-357.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 94a91a01911dba1c1fc07c2e371454e9e3cb2e4f53f835abe7e52e0636ed85dc
Instruction ID: 408174b709fbbb8a6fb3a84c98d6db22402507ee121fd4c8f2cbe55d0edbcf13
Opcode Fuzzy Hash: 94a91a01911dba1c1fc07c2e371454e9e3cb2e4f53f835abe7e52e0636ed85dc
Instruction Fuzzy Hash: 9421F2B5D002489FDB10CF99D584ADEBBF8FF48320F14845AE918A7210D378A954DF60

Function 0103D668 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0103D6EF

Memory Dump Source

Source File: 00000000.00000002.1689196852.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1030000_LPO-2024-357.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: efc185c0d8f80aec6d368bc4df413119f02a3b345a5eb88afdb55dc27fe0d9ec
Instruction ID: 4eebcff09840fb85214f76e59679ba7ee4a0830dbef8a4cf72cbe8f05e4d7572
Opcode Fuzzy Hash: efc185c0d8f80aec6d368bc4df413119f02a3b345a5eb88afdb55dc27fe0d9ec
Instruction Fuzzy Hash: AF21E4B5D002489FDB10CF9AD984ADEBFF8FB48320F14801AE918A7350D378A944DFA0

Function 07B0C589 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07B0C5FE

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0cffed552f17888be81876d82f6b5b84e4ac20818821b4153fedbec48c7991e2
Instruction ID: 26d2ae76b516e81dabe57ba28ba181298751f24b5153baeb0f6027ad98d71736
Opcode Fuzzy Hash: 0cffed552f17888be81876d82f6b5b84e4ac20818821b4153fedbec48c7991e2
Instruction Fuzzy Hash: E01129B5900249DFDB20CFAAC885AEEFFF5EF98324F248419E519A7250C7759540DFA0

Function 07B0C590 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07B0C5FE

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 57611765b7e01da2e876034fe7d429d0997a50bb80f3534cf6357c1bdf59675b
Instruction ID: 9a1da91c3116aba763499e0059e15055f0f2bc4a01a4acda12fd93f59e7e5406
Opcode Fuzzy Hash: 57611765b7e01da2e876034fe7d429d0997a50bb80f3534cf6357c1bdf59675b
Instruction Fuzzy Hash: 561167B29002099FDB20CFAAC845BDFBFF5EF88324F248419E519A7250CB75A500DFA0

Function 07B0BFC8 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 07B0C032

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 043a02b8f278861aa051b27c7b09028259efd170c1365f926bce51564057038b
Instruction ID: a5ead9cb17d42e2e08ffcbeac2d98f37a31d83122bd2db56ee678cd69cdbf26b
Opcode Fuzzy Hash: 043a02b8f278861aa051b27c7b09028259efd170c1365f926bce51564057038b
Instruction Fuzzy Hash: F21146B1D002498EDB20CFAAC485BEEFFF5EF88324F24841AD519A7240CB796545CFA0

Function 07B0BFD0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 07B0C032

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 26f375ad885edc5273d779653c490f138d4462c4052ba6775cf3884d30a6b405
Instruction ID: de5468a78fe6de31246a9f3069d3c26b57e9c8ad382d40571361ab047da41dba
Opcode Fuzzy Hash: 26f375ad885edc5273d779653c490f138d4462c4052ba6775cf3884d30a6b405
Instruction Fuzzy Hash: A51128B1D003498BDB20DFAAC4457DEFFF9EB88324F24845AD519A7240CB796544CBA5

Function 07B0F639 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07B0F69D

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: dd3cd1c4b9951b51eb7457ea2896b18c9bce181a8c729e9057a16ad5d7f10179
Instruction ID: 53b8bfa973bab6ada1ad5f6dfe6f99b3147018e5abcdfa0afca44bf1b9cb7ddf
Opcode Fuzzy Hash: dd3cd1c4b9951b51eb7457ea2896b18c9bce181a8c729e9057a16ad5d7f10179
Instruction Fuzzy Hash: C31106B5900349DFDB20CF99D985BDEBFF4EB48314F208459D418A7250C375A544CFA1

Function 07B0C92C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07B0F69D

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fbccf4a88e01dcc36e70f8644542845bd78f421938bd857a79d9ee3a700e33d3
Instruction ID: cf2cf02a3203082cc15dd947c6a701924843de2beb3ea474c697e6c22a509f0c
Opcode Fuzzy Hash: fbccf4a88e01dcc36e70f8644542845bd78f421938bd857a79d9ee3a700e33d3
Instruction Fuzzy Hash: 3A1125B59003499FDB20DF8AC585BEEBFF8EB48320F10845AE518A7250C374A940CFA4

Function 0103B398 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0103B3FE

Memory Dump Source

Source File: 00000000.00000002.1689196852.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1030000_LPO-2024-357.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b71080a2c2c42566e6fa863a815dad56c52d8c2893852150d97c73b66d612ff6
Instruction ID: 0bb480dc97f0f8b37069a09985d9239e6ce52f8c7f0645eeda2b70360e0ce587
Opcode Fuzzy Hash: b71080a2c2c42566e6fa863a815dad56c52d8c2893852150d97c73b66d612ff6
Instruction Fuzzy Hash: A81110B6C003498FDB10CF9AC444ADEFBF8EF88328F10846AD959A7200C379A545CFA5

Function 00FBD658 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686840686.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fbd000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61369cd816db6e2f9fbdc78c72dbc4ded343928763199d7cb33436e9fb3c98e8
Instruction ID: de745accdd7d1e23e87d83970dbdffbe9c28dc445439483abd27154559bdbc50
Opcode Fuzzy Hash: 61369cd816db6e2f9fbdc78c72dbc4ded343928763199d7cb33436e9fb3c98e8
Instruction Fuzzy Hash: 1E2142B2904200DFCB04DF15D9C0BA6BF66FB98324F30856DE9090B256D336D806EFA2

Function 00FCD36C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687127903.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcd000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0866d5a08274dba4f9b20bdab2e860127ebd9e5d9f7310ac07ed132a15794f6f
Instruction ID: 2834410f97a5bd8320a7fd21e1c1d338e57e57d93f729206cacb4906622d3a7f
Opcode Fuzzy Hash: 0866d5a08274dba4f9b20bdab2e860127ebd9e5d9f7310ac07ed132a15794f6f
Instruction Fuzzy Hash: 4A212975504245DFCB08DF14DAC1F2ABB65FB84324F24C57DE9094B296C336D846EB62

Function 00FCD1B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687127903.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcd000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce6466862e7e41e4f552b9f3f5a8e6fcbc92277ea551c4ca40a9e687e5f0ab8
Instruction ID: 3525311b45152c7bd416d4521e1761bb393a2134c01a86d1687ef2443db06218
Opcode Fuzzy Hash: 0ce6466862e7e41e4f552b9f3f5a8e6fcbc92277ea551c4ca40a9e687e5f0ab8
Instruction Fuzzy Hash: A62104B2904305EFDB05DF14CAC1F2ABB65FB84324F24C9BDE8494B252C336D846EA61

Function 00FBD653 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686840686.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fbd000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: 6dd2ec17fe291d83feab5be475e4cc5a7528b009b750ca60735b61530e76fd16
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: 9B11E176804280CFCB12CF10D5C0B56BF72FB94324F2482A9D8094B256C33AD85ADFA2

Function 00FCD1AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687127903.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcd000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: a14e9d5d1c164a99dc057c74d6dc554bc9a502a63b68b846869de1e275e99a21
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: A911D075904240CFCB01CF10CAC0B19BB61FB84324F24C6AED8494B656C33AD84ACB51

Function 00FCD367 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687127903.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcd000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: ae773c49000095124ab879f3c86281bea35e81d8bd0c21d9e2e61b1ca62a0f46
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 2411D075904240CFCB05CF14D6C4B19BB72FB84328F24C6ADD9094B656C33AE84ACB51

Non-executed Functions

Function 07B00040 Relevance: 7.3, Strings: 5, Instructions: 1028COMMON

Download Yara Rule

Strings

TJiq, xrefs: 07B001E6
xbgq, xrefs: 07B00171
Tedq, xrefs: 07B00897
4'dq, xrefs: 07B00C3C
phq, xrefs: 07B00D13

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID:
String ID: 4'dq$TJiq$Tedq$phq$xbgq
API String ID: 0-3854726174
Opcode ID: ba7b130a5ca98ca6a5ff88b7b915ceaa3b441ddc98edda9baf3e20b2145d2b90
Instruction ID: af1ed7e92ae01a8e00b7f0710892a1825f0ce8ef61c292cb67ad3d25e474a719
Opcode Fuzzy Hash: ba7b130a5ca98ca6a5ff88b7b915ceaa3b441ddc98edda9baf3e20b2145d2b90
Instruction Fuzzy Hash: 22B2C374A00228CFDB64DF69C984BD9BBB2FF89304F1581E9D509AB265DB319E81CF40

Function 07B00006 Relevance: 4.0, Strings: 3, Instructions: 263COMMON

Download Yara Rule

Strings

TJiq, xrefs: 07B001E6
xbgq, xrefs: 07B00171
Tedq, xrefs: 07B00897

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID:
String ID: TJiq$Tedq$xbgq
API String ID: 0-1882855624
Opcode ID: 675d37a49dfc21c9f6a4b60934ba8e521e9cd1488502f07ede14e82d27b88af4
Instruction ID: d9a0a334a997356f61e2615661f8bc56910e4f79b26039b46e89d4a719573074
Opcode Fuzzy Hash: 675d37a49dfc21c9f6a4b60934ba8e521e9cd1488502f07ede14e82d27b88af4
Instruction Fuzzy Hash: 26C190B5E006588FDB59DF6AC9446D9BBF2BF89300F14C0EAD809AB365DB305A85CF50

Function 0911F147 Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

4'dq, xrefs: 0911F229

Memory Dump Source

Source File: 00000000.00000002.1701631240.0000000009110000.00000040.00000800.00020000.00000000.sdmp, Offset: 09110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9110000_LPO-2024-357.jbxd

Similarity

API ID:
String ID: 4'dq
API String ID: 0-1167855494
Opcode ID: c32701918dca192f05c5b139898ce9d3951fff1064c673a50b73cdf6105587a0
Instruction ID: 57eb36b22367c1313f38dec00a6e8d4b458816a3349828c0bf8512239e4b8a40
Opcode Fuzzy Hash: c32701918dca192f05c5b139898ce9d3951fff1064c673a50b73cdf6105587a0
Instruction Fuzzy Hash: 8C613EB0E10244CFD758EF7AE95169E7FF2BBC9308F14D429E008A7268DF7066469B41

Function 0911F158 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4'dq, xrefs: 0911F229

Memory Dump Source

Source File: 00000000.00000002.1701631240.0000000009110000.00000040.00000800.00020000.00000000.sdmp, Offset: 09110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9110000_LPO-2024-357.jbxd

Similarity

API ID:
String ID: 4'dq
API String ID: 0-1167855494
Opcode ID: 200bdf535459424c90a52c9d900976be2e3fd16a336464637a282fa999134e64
Instruction ID: 8f197c9e73c17118156f094a6d65f46a8ee247bbc212dc7de04154d9018a3b14
Opcode Fuzzy Hash: 200bdf535459424c90a52c9d900976be2e3fd16a336464637a282fa999134e64
Instruction Fuzzy Hash: 40612EB0E10244CFD758EF7AE95169E7FF2BBC9308F14D429E008A7268DF746A459B40

Function 0911F3F0 Relevance: .6, Instructions: 615COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701631240.0000000009110000.00000040.00000800.00020000.00000000.sdmp, Offset: 09110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9110000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a7128eb4eabe4dda0ce14faee3f3c3d56c872a1968e325e0d496f2a122e0a8
Instruction ID: 68f1cfc26ab8b5849367f87f37d913e89c6f69dd1308312ae6f8f4231df2a9ac
Opcode Fuzzy Hash: b6a7128eb4eabe4dda0ce14faee3f3c3d56c872a1968e325e0d496f2a122e0a8
Instruction Fuzzy Hash: AE327A71B01205AFDB19DF69C590BAEBBF6EF89304F1444A9E146DB3A1CB34E902CB51

Function 07B0B758 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f809e87672385f562c0c4ecbda87a209fcfbf39579fd24521104ea8d7db7659c
Instruction ID: b0f543d1fc18e8f3dca67112e81a2adc581f8f122ae4e20216b9de3d19a0eef7
Opcode Fuzzy Hash: f809e87672385f562c0c4ecbda87a209fcfbf39579fd24521104ea8d7db7659c
Instruction Fuzzy Hash: 19E1DCB4E04119CFDB14DFA9C9909AEFBB2FF89314F248199D815AB355D730A941CFA0

Function 07B096E8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd64294ac54710943cda99318e5cfeaa251f50cb3271ba8b02666dfcf65c2e0
Instruction ID: c2e2a4214af4a75b4ccf16422df0ed0547013059f97d430fd39bb6b10a31e54f
Opcode Fuzzy Hash: 8fd64294ac54710943cda99318e5cfeaa251f50cb3271ba8b02666dfcf65c2e0
Instruction Fuzzy Hash: 1EE1EDB4E04119CFDB14DFA9C5909AEFBB2FF89314F2481A9D815AB356D730A941CFA0

Function 07B0C158 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b138f5ed0409cea9feb709c2ea20d9ea1b521a4b32f113dd8468cad70b03ec8
Instruction ID: 3a84f5e60e232d9344c6ce88c57618376fc4b2abacf2aa8e90fafbd4e3d37393
Opcode Fuzzy Hash: 0b138f5ed0409cea9feb709c2ea20d9ea1b521a4b32f113dd8468cad70b03ec8
Instruction Fuzzy Hash: 46E1DAB4E04119CFDB14DFA9C5909AEBFB2FF89314F2482A9D815AB355D730A941CFA0

Function 07B09F58 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a9be9ec3a4fc52eb8339d70d4f799267aa721b851b0d27e99053111920ef98
Instruction ID: ce7819df236c0f2ddb1a339c4d81d6beff9469ef50b8430b5036ae50e5db7a46
Opcode Fuzzy Hash: 38a9be9ec3a4fc52eb8339d70d4f799267aa721b851b0d27e99053111920ef98
Instruction Fuzzy Hash: CEE1E9B4E042198FDB14DFA9C5809AEFBB2FF89304F24C5A9D815AB355D731A941CFA0

Function 07B09B20 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701120725.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89bdcc3615319ab3ce646cf71b8ba83a90f2b92eb349c1f09ef30c20603ebc10
Instruction ID: 98ec5c69aee48ceefdf445c0a3516a153d4301ef99328551024cc1447d473e24
Opcode Fuzzy Hash: 89bdcc3615319ab3ce646cf71b8ba83a90f2b92eb349c1f09ef30c20603ebc10
Instruction Fuzzy Hash: 82E1EBB4E04119CFDB14DF99C5909AEFBB2FF89314F248199E815AB356D730A941CFA0

Function 0764CDE8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700837785.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a643e857014f52e1e482c52fd19893a7a2cde9028c6f15dd490a59704c1eb0
Instruction ID: 80217d492f4d6ad2d006444b1a7f5e053d59d5a13e3c8e89cb8dc65c94f4522f
Opcode Fuzzy Hash: 97a643e857014f52e1e482c52fd19893a7a2cde9028c6f15dd490a59704c1eb0
Instruction Fuzzy Hash: 0DD1E63192075ACACB10EFA4D9906D9B7B1FFA5304F60D79AE00937625EF706AC4DB81

Function 0103DF74 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689196852.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1030000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5de2ad9fad92e145ec722fcbddf5a94432d697c9967dfd8b96763cddaf75b23
Instruction ID: fe49851c67a92c9ce61eefb64c5dff7f279b6be250247788d065f851678fb4b5
Opcode Fuzzy Hash: c5de2ad9fad92e145ec722fcbddf5a94432d697c9967dfd8b96763cddaf75b23
Instruction Fuzzy Hash: 5BA14C32E002168FCF19DFB5C9845DEBBB6FFC4300B1585AAE906AB265DB31E955CB40

Function 0764CDE7 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700837785.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4624af341d3f173a5ebf6d80cc4d401917ee7bc89249369da0320ad7e05df8
Instruction ID: 717b26f3e0b65239eca22dbd056287630c0d70be588ecfa43d159712f03ff73b
Opcode Fuzzy Hash: ae4624af341d3f173a5ebf6d80cc4d401917ee7bc89249369da0320ad7e05df8
Instruction Fuzzy Hash: D6D1E63192075ACACB10EFA4D9906D9B7B1FFA5304F60D79AE00937625EF706AC4DB81

Function 07641F3C Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700837785.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985e93fad610ef8621e34a4ddc6018ea2e570d2e7e278017b6898f2bdfdcbcb5
Instruction ID: 2c5dbb8b816705f12f698ccd324b5ba452d0ae112e7b62f44ca6cbc990e54e9e
Opcode Fuzzy Hash: 985e93fad610ef8621e34a4ddc6018ea2e570d2e7e278017b6898f2bdfdcbcb5
Instruction Fuzzy Hash: 01A1A070A00259CFCB05DFA9C894AEDBBF2FF89300F5485A9E406BB359DB706945CB80

Analysis Process: LPO-2024-357.exePID: 4348, Parent PID: 6516COMMON

Execution Graph

Execution Coverage:	8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	166
Total number of Limit Nodes:	22

Executed Functions

Function 05EDF385 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05EDF4A2

Memory Dump Source

Source File: 00000004.00000002.2927247442.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ed0000_LPO-2024-357.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5cb07414b29920d139c63227224835e05ea3f28ee177ec67e6a4c33f322f1038
Instruction ID: f9c26e21e5ae87d8a07906f419da3ea783df206f1d5574082059911539eb5b84
Opcode Fuzzy Hash: 5cb07414b29920d139c63227224835e05ea3f28ee177ec67e6a4c33f322f1038
Instruction Fuzzy Hash: F051D2B1D10349DFDB14CF9AD984ADEFBB5BF88314F24812AE819AB210D775A845CF90

Function 05EDF390 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05EDF4A2

Memory Dump Source

Source File: 00000004.00000002.2927247442.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ed0000_LPO-2024-357.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b0a9bcaaf0113e18a85ef5f1d4355d6cfbe8e28e36b2ede3bf7998fc11a6d713
Instruction ID: 5a63e0855b20191004b4c85c5f17571f0b6c3df4586e3357a77f08ccdc1f768a
Opcode Fuzzy Hash: b0a9bcaaf0113e18a85ef5f1d4355d6cfbe8e28e36b2ede3bf7998fc11a6d713
Instruction Fuzzy Hash: 7341BEB1D10349DFDB14CF9AC984ADEFBB5BF88314F24912AE819AB210D775A845CF90

Function 00D7B068 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D7B0F7

Memory Dump Source

Source File: 00000004.00000002.2922887898.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d70000_LPO-2024-357.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 90c3470305cb906e4112de5bf0693dcb5170916e28e4ab5236378574a5479e8a
Instruction ID: 37def5aa2d804b508fcceaa21550a913635c632f48f902246b64063ebf1a3664
Opcode Fuzzy Hash: 90c3470305cb906e4112de5bf0693dcb5170916e28e4ab5236378574a5479e8a
Instruction Fuzzy Hash: D921E3B5D002499FDB10CF9AD984ADEBFF9EB48320F14841AE918A3350D379A944CFA4

Function 00D7B070 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D7B0F7

Memory Dump Source

Source File: 00000004.00000002.2922887898.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d70000_LPO-2024-357.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f83e89b7c51c24534a2be6666ec1b1b5afb33eccc5b6a14d368982f5a618fae9
Instruction ID: 8fa79b9cedd4aaa02d72ed866d2998cccdef46e5845f76751203f3b1be56494e
Opcode Fuzzy Hash: f83e89b7c51c24534a2be6666ec1b1b5afb33eccc5b6a14d368982f5a618fae9
Instruction Fuzzy Hash: 8F21C4B5900249DFDB10CF9AD984ADEBFF9FB48320F14841AE918A7350D379A944CFA5

Function 05EDB410 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,05EDC32C), ref: 05EDC566

Memory Dump Source

Source File: 00000004.00000002.2927247442.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ed0000_LPO-2024-357.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7cb689517bcd705ebd2e76fdc6be82eeb28040dc0b279c273ea494ab1c03bd81
Instruction ID: b3c92f93a910a27bf16ad8860feaa8f8f38575f8f612b4ff49adb1dbcdfe084d
Opcode Fuzzy Hash: 7cb689517bcd705ebd2e76fdc6be82eeb28040dc0b279c273ea494ab1c03bd81
Instruction Fuzzy Hash: FB1134B1C003098FCB20DF9AC548BDEFBF4EB88254F20805AD459B7200D375A945CFA4

Function 00B2D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2921988557.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b2d000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26f18612cb1d2902c263dc1101f1f336fb2f829ec29ce5c6de577cf6f6ad0ed
Instruction ID: ff96d6fe634537af191f0d8f3f63c7fefd35d8b70c6cd9d2c664128e21d0a273
Opcode Fuzzy Hash: f26f18612cb1d2902c263dc1101f1f336fb2f829ec29ce5c6de577cf6f6ad0ed
Instruction Fuzzy Hash: 8921F575504240DFCB14DF14E5D0B27BBA5FB84314F24C5ADD94E4B2A6C736D847CA61

Function 00B2D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2921988557.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b2d000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc66e1d3b7f54f22f922c8ed0dcfe14af378c6f9f2467d451a6410226f410ae0
Instruction ID: beb2ca04959e87a3953769e4fa30bdb97f1542da4885191996f33cfd509416f5
Opcode Fuzzy Hash: cc66e1d3b7f54f22f922c8ed0dcfe14af378c6f9f2467d451a6410226f410ae0
Instruction Fuzzy Hash: 772162755083809FDB12CF14D994B16BFB1EB46314F28C5DAD8498F2A7C33AD85ACB62

Function 00B0D628 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2921906565.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b0d000_LPO-2024-357.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6fc842c7d509e595450c5bb27c83a4e0b785df3eb4e89413ebefe52e99812b7
Instruction ID: 4b549d1a6736b1611816805c9367108e5d5067faac399d43541c4a64cb81e54e
Opcode Fuzzy Hash: a6fc842c7d509e595450c5bb27c83a4e0b785df3eb4e89413ebefe52e99812b7
Instruction Fuzzy Hash: D3F062715043449AE7208A5ADDC4B62FFD8EB51724F18C59AED0C4A2C6C67A9844CBB1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LPO-2024-357.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LPO-2024-357.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3do5jaz2.mem.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfxmo5er.034.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_grdgjhle.kg0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svawvg5q.wbm.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
LPO-2024-357.exe

Function 0103D41A Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0103D420 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 07648248 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
COMMON

Function 07B0CCCC Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Function 07B0CCD8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0103B1A8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre