Edit tour

Windows Analysis Report
Leoch-Purchase Order.exe

Overview

General Information

Sample name:	Leoch-Purchase Order.exe
Analysis ID:	1427770
MD5:	3825ed31a02b3d690c3d43a1e3808d1a
SHA1:	82b16668205bd4ca4b5c6119be08a9cfcc5248d6
SHA256:	d0bbc42f00f4cf1b59db6e2c2b13fe64bdd85c43e8209493b46119fbcc945db8
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Contains functionality to inject code into remote processes

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample has a suspicious name (potential lure to open the executable)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Leoch-Purchase Order.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\Leoch-Purchase Order.exe" MD5: 3825ED31A02B3D690C3D43A1E3808D1A)

Leoch-Purchase Order.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\Leoch-Purchase Order.exe" MD5: 3825ED31A02B3D690C3D43A1E3808D1A)

uaAWu.exe (PID: 7628 cmdline: "C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe" MD5: 3825ED31A02B3D690C3D43A1E3808D1A)

uaAWu.exe (PID: 7660 cmdline: "C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe" MD5: 3825ED31A02B3D690C3D43A1E3808D1A)

WerFault.exe (PID: 7744 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 80 MD5: C31336C1EFC2CCB44B4326EA793040F2)

uaAWu.exe (PID: 7776 cmdline: "C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe" MD5: 3825ED31A02B3D690C3D43A1E3808D1A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2895870683.000000000334C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2895748774.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2894270079.0000000000436000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2894270079.0000000000436000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2895748774.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2895748774.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1656188733.0000000004F60000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1656188733.0000000004F60000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1656188733.0000000004F60000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339e4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a56:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33ae0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b72:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bdc:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c4e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33ce4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d74:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000007.00000002.2895870683.0000000003321000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2895870683.0000000003321000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1655876034.0000000003A74000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1655876034.0000000003A74000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Leoch-Purchase Order.exe PID: 7408	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Leoch-Purchase Order.exe PID: 7408	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Leoch-Purchase Order.exe PID: 7432	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Leoch-Purchase Order.exe PID: 7432	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: uaAWu.exe PID: 7776	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: uaAWu.exe PID: 7776	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Leoch-Purchase Order.exe.3c26140.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Leoch-Purchase Order.exe.3c26140.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Leoch-Purchase Order.exe.3c26140.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339e4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a56:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33ae0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b72:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bdc:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c4e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33ce4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d74:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.uaAWu.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.uaAWu.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Leoch-Purchase Order.exe.4f60000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Leoch-Purchase Order.exe.4f60000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Leoch-Purchase Order.exe.4f60000.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31be4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c56:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31ce0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d72:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31ddc:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e4e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ee4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f74:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Leoch-Purchase Order.exe.4f60000.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Leoch-Purchase Order.exe.4f60000.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Leoch-Purchase Order.exe.4f60000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339e4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a56:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33ae0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b72:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bdc:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c4e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33ce4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d74:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Leoch-Purchase Order.exe.3c26140.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Leoch-Purchase Order.exe.3c26140.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Leoch-Purchase Order.exe.3c26140.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31be4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c56:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31ce0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d72:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31ddc:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e4e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ee4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f74:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Leoch-Purchase Order.exe.3beb110.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Leoch-Purchase Order.exe.3beb110.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Leoch-Purchase Order.exe.3beb110.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31be4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c56:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31ce0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d72:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31ddc:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e4e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ee4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f74:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Leoch-Purchase Order.exe.3beb110.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Leoch-Purchase Order.exe.3beb110.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Leoch-Purchase Order.exe.3beb110.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339e4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6ea14:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a56:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6ea86:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33ae0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6eb10:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b72:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6eba2:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bdc:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ec0c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c4e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ec7e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33ce4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ed14:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d74:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6eda4:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Leoch-Purchase Order.exe, ProcessId: 7432, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uaAWu

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 46.175.145.107, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\Leoch-Purchase Order.exe, Initiated: true, ProcessId: 7432, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Leoch-Purchase Order.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe

Avira: detection malicious, Label: TR/Dropper.MSIL.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Virustotal: Detection: 52%			Perma Link

Multi AV Scanner detection for submitted file

Source: Leoch-Purchase Order.exe	ReversingLabs: Detection: 42%
Source: Leoch-Purchase Order.exe	Virustotal: Detection: 52%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Leoch-Purchase Order.exe

Joe Sandbox ML: detected

Source: Leoch-Purchase Order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: Leoch-Purchase Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 46.175.145.107:25

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: Leoch-Purchase Order.exe, 00000001.00000002.2895748774.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, uaAWu.exe, 00000007.00000002.2895870683.000000000334C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.voivocars.com
Source: uaAWu.exe, 00000007.00000002.2902710011.0000000006A62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.coo
Source: Leoch-Purchase Order.exe, 00000001.00000002.2895748774.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, uaAWu.exe, 00000007.00000002.2895870683.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: uaAWu.exe, 00000007.00000002.2902710011.0000000006A62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: Leoch-Purchase Order.exe, 00000000.00000002.1655876034.0000000003A74000.00000004.00000800.00020000.00000000.sdmp, Leoch-Purchase Order.exe, 00000000.00000002.1656188733.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, uaAWu.exe, 00000007.00000002.2894270079.0000000000436000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Leoch-Purchase Order.exe, 00000000.00000002.1655876034.0000000003A74000.00000004.00000800.00020000.00000000.sdmp, Leoch-Purchase Order.exe, 00000000.00000002.1656188733.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, Leoch-Purchase Order.exe, 00000001.00000002.2894274210.0000000000435000.00000040.00000400.00020000.00000000.sdmp, Leoch-Purchase Order.exe, 00000001.00000002.2895748774.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, uaAWu.exe, 00000007.00000002.2895870683.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Leoch-Purchase Order.exe, 00000001.00000002.2895748774.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, uaAWu.exe, 00000007.00000002.2895870683.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Leoch-Purchase Order.exe, 00000001.00000002.2895748774.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, uaAWu.exe, 00000007.00000002.2895870683.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Leoch-Purchase Order.exe.3beb110.0.raw.unpack, cPKWk.cs	.Net Code: aHIKnt
Source: 0.2.Leoch-Purchase Order.exe.3c26140.1.raw.unpack, cPKWk.cs	.Net Code: aHIKnt
Source: 0.2.Leoch-Purchase Order.exe.4f60000.2.raw.unpack, cPKWk.cs	.Net Code: aHIKnt

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Leoch-Purchase Order.exe.3c26140.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Leoch-Purchase Order.exe.4f60000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Leoch-Purchase Order.exe.4f60000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Leoch-Purchase Order.exe.3c26140.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Leoch-Purchase Order.exe.3beb110.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Leoch-Purchase Order.exe.3beb110.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1656188733.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Leoch-Purchase Order.exe

Sample has a suspicious name (potential lure to open the executable)

Source: Leoch-Purchase Order.exe

Static file information: Suspicious name

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 0_2_00FC0054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,	0_2_00FC0054
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 0_2_00FC0000 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,	0_2_00FC0000
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 2_2_02570054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,	2_2_02570054
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 2_2_02570000 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,	2_2_02570000

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_0164EB00	1_2_0164EB00
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_01644AA8	1_2_01644AA8
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_0164ACF0	1_2_0164ACF0
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_01643E90	1_2_01643E90
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_016441D8	1_2_016441D8
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_066EA8B4	1_2_066EA8B4
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_066EA594	1_2_066EA594
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_066EBDE0	1_2_066EBDE0
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_066EDBF0	1_2_066EDBF0
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_066F66C0	1_2_066F66C0
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_066F56B0	1_2_066F56B0
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_066F3578	1_2_066F3578
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_066FC258	1_2_066FC258
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_066FB2FF	1_2_066FB2FF
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_066F0040	1_2_066F0040
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_066F7E50	1_2_066F7E50
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_066F7770	1_2_066F7770
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_066FE480	1_2_066FE480
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_066F0006	1_2_066F0006
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_066F5DAB	1_2_066F5DAB
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_0196E5E0	7_2_0196E5E0
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_0196ABDB	7_2_0196ABDB
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_01964AA8	7_2_01964AA8
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_01963E90	7_2_01963E90
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_019641D8	7_2_019641D8
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_06F6AAAC	7_2_06F6AAAC
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_06F6A78C	7_2_06F6A78C
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_06F6DBD0	7_2_06F6DBD0
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_06F766B8	7_2_06F766B8
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_06F756A8	7_2_06F756A8
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_06F7B2F7	7_2_06F7B2F7
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_06F7C250	7_2_06F7C250
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_06F73170	7_2_06F73170
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_06F77E48	7_2_06F77E48
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_06F77768	7_2_06F77768
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_06F7E478	7_2_06F7E478
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_06F72349	7_2_06F72349
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_06F70040	7_2_06F70040
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_06F75DA3	7_2_06F75DA3
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_06F70007	7_2_06F70007

Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 80

Source: Leoch-Purchase Order.exe, 00000000.00000000.1637100476.00000000006D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVbsFjpI.exe< vs Leoch-Purchase Order.exe
Source: Leoch-Purchase Order.exe, 00000000.00000002.1655876034.0000000003A74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed94471b9-7b46-41e6-9ff5-cfa52fe6c858.exe4 vs Leoch-Purchase Order.exe
Source: Leoch-Purchase Order.exe, 00000000.00000002.1654995843.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Leoch-Purchase Order.exe
Source: Leoch-Purchase Order.exe, 00000000.00000002.1656188733.0000000004F60000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed94471b9-7b46-41e6-9ff5-cfa52fe6c858.exe4 vs Leoch-Purchase Order.exe
Source: Leoch-Purchase Order.exe, 00000001.00000002.2894458452.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Leoch-Purchase Order.exe
Source: Leoch-Purchase Order.exe, 00000001.00000002.2900059447.00000000064B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVbsFjpI.ex0 vs Leoch-Purchase Order.exe
Source: Leoch-Purchase Order.exe, 00000001.00000002.2894274210.000000000043E000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed94471b9-7b46-41e6-9ff5-cfa52fe6c858.exe4 vs Leoch-Purchase Order.exe
Source: Leoch-Purchase Order.exe	Binary or memory string: OriginalFilenameVbsFjpI.exe< vs Leoch-Purchase Order.exe

Source: Leoch-Purchase Order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Leoch-Purchase Order.exe.3c26140.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Leoch-Purchase Order.exe.4f60000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Leoch-Purchase Order.exe.4f60000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Leoch-Purchase Order.exe.3c26140.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Leoch-Purchase Order.exe.3beb110.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Leoch-Purchase Order.exe.3beb110.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1656188733.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: Leoch-Purchase Order.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: uaAWu.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Leoch-Purchase Order.exe, Ikv.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Leoch-Purchase Order.exe.3beb110.0.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Leoch-Purchase Order.exe.3beb110.0.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Leoch-Purchase Order.exe.3beb110.0.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Leoch-Purchase Order.exe.3beb110.0.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Leoch-Purchase Order.exe.3beb110.0.raw.unpack, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Leoch-Purchase Order.exe.3beb110.0.raw.unpack, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.Leoch-Purchase Order.exe.3beb110.0.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Leoch-Purchase Order.exe.3beb110.0.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/2@2/2

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe

File created: C:\Users\user\AppData\Roaming\uaAWu

Jump to behavior

Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7660

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\dc13b0bb-dc88-439c-a2a3-a71d72d2d6fc

Jump to behavior

Source: Leoch-Purchase Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Leoch-Purchase Order.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Leoch-Purchase Order.exe	ReversingLabs: Detection: 42%
Source: Leoch-Purchase Order.exe	Virustotal: Detection: 52%

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe

File read: C:\Users\user\Desktop\Leoch-Purchase Order.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Leoch-Purchase Order.exe "C:\Users\user\Desktop\Leoch-Purchase Order.exe"
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process created: C:\Users\user\Desktop\Leoch-Purchase Order.exe "C:\Users\user\Desktop\Leoch-Purchase Order.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe "C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe"
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process created: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe "C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe"
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 80
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process created: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe "C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe"
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process created: C:\Users\user\Desktop\Leoch-Purchase Order.exe "C:\Users\user\Desktop\Leoch-Purchase Order.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process created: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe "C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process created: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe "C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Leoch-Purchase Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Leoch-Purchase Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 0_2_00F41684 push ecx; iretd	0_2_00F41686
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 0_2_00F40971 push ds; iretd	0_2_00F40972
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 0_2_00F4053F pushad ; iretd	0_2_00F4054A
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 0_2_00F40510 push edx; iretd	0_2_00F4051A
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 0_2_00F40A00 push ds; iretd	0_2_00F40A02
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 0_2_00F40A09 push ds; iretd	0_2_00F40A0A
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_01640C3D push edi; ret	1_2_01640CC2
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_01640C95 push edi; retf	1_2_01640C3A
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Code function: 1_2_066EFEF0 push es; ret	1_2_066EFEF4
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_0196EE78 push esp; retn 06F0h	7_2_0196EF21
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_01960C95 push edi; retf	7_2_01960C3A
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_01960C3D push edi; ret	7_2_01960CC2
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_06F6FF43 push es; ret	7_2_06F6FF44
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Code function: 7_2_06F6FF3F push es; ret	7_2_06F6FF40

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe

File created: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run uaAWu			Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run uaAWu			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: iconPdf.png

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe

File opened: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Memory allocated: F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Memory allocated: 2A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Memory allocated: 29A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Memory allocated: 1450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Memory allocated: 1450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Memory allocated: AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Memory allocated: 26C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Memory allocated: 46C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Memory allocated: 1920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Memory allocated: 32D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Memory allocated: 52D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Window / User API: threadDelayed 1382	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Window / User API: threadDelayed 8471	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Window / User API: threadDelayed 5684	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Window / User API: threadDelayed 4152	Jump to behavior

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7464	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7564	Thread sleep count: 1382 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7564	Thread sleep count: 8471 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -99327s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -98765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -98656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -98547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -98437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -98219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -98109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -98000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -97890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -97764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -97656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -97547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -97438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -97313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -97188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -97063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -96938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -96826s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -96719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -96594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -96484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -96375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -96266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -96156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -96047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -95937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -95828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -95719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -95594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -95484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -95375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -95265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -95156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -95046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -94937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -94828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -94716s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -94609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe TID: 7560	Thread sleep time: -94500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7688	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7768	Thread sleep count: 199 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7876	Thread sleep count: 5684 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7876	Thread sleep count: 4152 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -99422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -99312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -98849s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -98719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -98608s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -98267s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -98141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -98024s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -97441s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -97175s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -96696s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -96578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -96468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -96360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -96118s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -95976s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -95860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -95750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -95641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -95516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -95406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -95297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -95188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -95063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -94938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -94828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -94719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -94594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -94485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -94360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -94235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -94110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -93941s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -93813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -93688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -93563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -93453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -93344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -93219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -93110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -92985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -92860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe TID: 7872	Thread sleep time: -92735s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 99327	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 98765	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 98547	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 98437	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 98219	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 98000	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 97890	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 97764	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 97438	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 97313	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 97188	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 97063	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 96938	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 96826	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 96719	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 96594	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 96484	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 96375	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 96266	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 96156	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 96047	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 95937	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 95828	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 95719	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 95594	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 95484	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 95375	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 95265	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 95156	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 95046	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 94937	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 94828	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 94716	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 94609	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Thread delayed: delay time: 94500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 98849	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 98719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 98608	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 98267	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 98141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 98024	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 97441	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 97175	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 96696	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 96468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 96360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 96118	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 95976	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 95860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 95750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 95641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 95516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 95406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 95297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 95188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 95063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 94938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 94828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 94719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 94594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 94485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 94360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 94235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 94110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 93941	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 93813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 93688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 93563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 93453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 93344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 93219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 93110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 92985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 92860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Thread delayed: delay time: 92735	Jump to behavior

Source: Leoch-Purchase Order.exe, 00000001.00000002.2894928300.0000000000D48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: uaAWu.exe, 00000007.00000002.2895029812.000000000155F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe

Code function: 0_2_00FC0054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

0_2_00FC0054

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Memory written: C:\Users\user\Desktop\Leoch-Purchase Order.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Memory written: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Process created: C:\Users\user\Desktop\Leoch-Purchase Order.exe "C:\Users\user\Desktop\Leoch-Purchase Order.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process created: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe "C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Process created: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe "C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Queries volume information: C:\Users\user\Desktop\Leoch-Purchase Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Queries volume information: C:\Users\user\Desktop\Leoch-Purchase Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Queries volume information: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Queries volume information: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Leoch-Purchase Order.exe.3c26140.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.uaAWu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Leoch-Purchase Order.exe.4f60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Leoch-Purchase Order.exe.4f60000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Leoch-Purchase Order.exe.3c26140.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Leoch-Purchase Order.exe.3beb110.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Leoch-Purchase Order.exe.3beb110.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2895870683.000000000334C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2895748774.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2894270079.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2895748774.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1656188733.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2895870683.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1655876034.0000000003A74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Leoch-Purchase Order.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Leoch-Purchase Order.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uaAWu.exe PID: 7776, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Leoch-Purchase Order.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.Leoch-Purchase Order.exe.3c26140.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.uaAWu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Leoch-Purchase Order.exe.4f60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Leoch-Purchase Order.exe.4f60000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Leoch-Purchase Order.exe.3c26140.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Leoch-Purchase Order.exe.3beb110.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Leoch-Purchase Order.exe.3beb110.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2894270079.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2895748774.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1656188733.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2895870683.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1655876034.0000000003A74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Leoch-Purchase Order.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Leoch-Purchase Order.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uaAWu.exe PID: 7776, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Leoch-Purchase Order.exe.3c26140.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.uaAWu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Leoch-Purchase Order.exe.4f60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Leoch-Purchase Order.exe.4f60000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Leoch-Purchase Order.exe.3c26140.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Leoch-Purchase Order.exe.3beb110.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Leoch-Purchase Order.exe.3beb110.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2895870683.000000000334C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2895748774.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2894270079.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2895748774.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1656188733.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2895870683.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1655876034.0000000003A74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Leoch-Purchase Order.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Leoch-Purchase Order.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uaAWu.exe PID: 7776, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	211 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	221 Security Software Discovery	Distributed Component Object Model	1 Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Leoch-Purchase Order.exe	42%	ReversingLabs	ByteCode-MSIL.Keylogger.KeyBase
Leoch-Purchase Order.exe	52%	Virustotal		Browse
Leoch-Purchase Order.exe	100%	Avira	TR/Dropper.MSIL.Gen
Leoch-Purchase Order.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	100%	Avira	TR/Dropper.MSIL.Gen
C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	42%	ReversingLabs	ByteCode-MSIL.Keylogger.KeyBase
C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe	52%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://www.microsoft.c	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.voivocars.com	46.175.145.107	true	false		unknown
api.ipify.org	172.67.74.152	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	Leoch-Purchase Order.exe, 00000000.00000002.1655876034.0000000003A74000.00000004.00000800.00020000.00000000.sdmp, Leoch-Purchase Order.exe, 00000000.00000002.1656188733.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, Leoch-Purchase Order.exe, 00000001.00000002.2894274210.0000000000435000.00000040.00000400.00020000.00000000.sdmp, Leoch-Purchase Order.exe, 00000001.00000002.2895748774.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, uaAWu.exe, 00000007.00000002.2895870683.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.voivocars.com	Leoch-Purchase Order.exe, 00000001.00000002.2895748774.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, uaAWu.exe, 00000007.00000002.2895870683.000000000334C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.microsoft.c	uaAWu.exe, 00000007.00000002.2902710011.0000000006A62000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	Leoch-Purchase Order.exe, 00000000.00000002.1655876034.0000000003A74000.00000004.00000800.00020000.00000000.sdmp, Leoch-Purchase Order.exe, 00000000.00000002.1656188733.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, uaAWu.exe, 00000007.00000002.2894270079.0000000000436000.00000040.00000400.00020000.00000000.sdmp	false		high
http://microsoft.coo	uaAWu.exe, 00000007.00000002.2902710011.0000000006A62000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.ipify.org/t	Leoch-Purchase Order.exe, 00000001.00000002.2895748774.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, uaAWu.exe, 00000007.00000002.2895870683.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Leoch-Purchase Order.exe, 00000001.00000002.2895748774.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, uaAWu.exe, 00000007.00000002.2895870683.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.175.145.107	mail.voivocars.com	Ukraine		56394	ASLAGIDKOM-NETUA	false
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427770
Start date and time:	2024-04-18 06:28:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Leoch-Purchase Order.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/2@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 142 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:28:57	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run uaAWu C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe
05:29:05	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run uaAWu C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe
06:28:57	API Interceptor	176x Sleep call for process: Leoch-Purchase Order.exe modified
06:29:08	API Interceptor	160x Sleep call for process: uaAWu.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.74.152	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	SecuriteInfo.com.Win32.PWSX-gen.27467.16755.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	SecuriteInfo.com.Win32.MalwareX-gen.3610.30636.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	invoice & packing list.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	ZG17uv37pi.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	ZG17uv37pi.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	Fizetes,jpg.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	SecuriteInfo.com.FileRepMalware.7644.21541.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	payload.js	Get hash	malicious	Unknown	Browse	104.26.13.205
	payload.js	Get hash	malicious	Unknown	Browse	172.67.74.152
	Payment Advice.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASLAGIDKOM-NETUA	SAMPLE PURCHASE ORDER.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	Eaton PO-45150292964.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	remittance payment of invoice DMWW24009.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	Proforma Invoice - Well Ergon.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	PURCHASE ORDER.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SecuriteInfo.com.Win32.PWSX-gen.14523.13498.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	order Depeng POORD20231109001.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	Swift_copy.pdf (2).exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	Swift Copy.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	purchase_order T&B19-20PO128.pdf.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
CLOUDFLARENETUS	SecuriteInfo.com.Win32.PWSX-gen.27467.16755.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://ortelia.com/download-ortelia-curator/	Get hash	malicious	Havoc	Browse	1.1.1.1
	SecuriteInfo.com.Win32.MalwareX-gen.3610.30636.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe	Get hash	malicious	Glupteba, PureLog Stealer, zgRAT	Browse	104.21.91.214
	http://ranchpools.com	Get hash	malicious	Unknown	Browse	104.19.178.52
	invoice & packing list.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	http://t.cm.morganstanley.com/r/?id=h1b92d14%2C134cc33c%2C1356be32&p1=www.saiengroup.com%2Fteaz%2F648c482b60b3906833c9304bab170add%2FJBVNhz%2FYW15LmNoZW5AZG91YmxlbGluZS5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Get hash	malicious	Unknown	Browse	172.67.184.140
	https://windowdefalerts-error0x21906-alert-virus-detected.pages.dev/	Get hash	malicious	TechSupportScam	Browse	172.67.176.240
	https://windowdefalerts-error0x21903-alert-virus-detected.pages.dev/	Get hash	malicious	TechSupportScam	Browse	172.66.44.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SecuriteInfo.com.Win32.PWSX-gen.27467.16755.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	SecuriteInfo.com.Win32.MalwareX-gen.3610.30636.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	invoice & packing list.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	ZG17uv37pi.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	ZG17uv37pi.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	http://mitchellind.ubpages.com/mi-ind/	Get hash	malicious	Unknown	Browse	172.67.74.152
	Fizetes,jpg.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	SecuriteInfo.com.FileRepMalware.7644.21541.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Payment Advice.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Draft Sales contract.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152

Process:	C:\Users\user\Desktop\Leoch-Purchase Order.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	354304
Entropy (8bit):	6.278387447678832
Encrypted:	false
SSDEEP:	6144:Xk67U5g5NTax7p9S44HtAs7EgaIgai/rBUEjh7g/+qUMwe/vqtapko+QZKAJ7CZz:d7U25NTaNpkRNA0Jpgdj3VHZ+q7ofZ7U
MD5:	3825ED31A02B3D690C3D43A1E3808D1A
SHA1:	82B16668205BD4CA4B5C6119BE08A9CFCC5248D6
SHA-256:	D0BBC42F00F4CF1B59DB6E2C2B13FE64BDD85C43E8209493B46119FBCC945DB8
SHA-512:	3D6CECEA0AA67F3E875107F408D278C45948BA497DEF9FC31C5F2BDCA74DBB98F6CF84D42C7472842897793E637C8CF12139AC1FABE6D75D43618D43980526D6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42% Antivirus: Virustotal, Detection: 52%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f f.................>...(.......\... ...`....@.. ....................................@.................................h\..S....`...%........................................................................... ............... ..H............text....<... ...>.................. ..`.rsrc....%...`...&...@..............@..@.reloc...............f..............@..B.................\......H.......0..82..........h7...............................................0..%.......(....s.....s.......s......o....o......(....V.(......}......}......0..p..........{;......;......{=...{.....{=...{....r...po....o....}>.....{=...{.....{=...{....r#..po....o....}?......{?....i .....@(....}@......{>....i .....@(....}A....{?.....{@....{?....i(.....{>.....{A....{>....i(.....{=....{@....{A...o....o.......(....->..};.....}B....\|<......(...+...Y.{B...............}B.....};.....(.....

C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Leoch-Purchase Order.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.278387447678832
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Leoch-Purchase Order.exe
File size:	354'304 bytes
MD5:	3825ed31a02b3d690c3d43a1e3808d1a
SHA1:	82b16668205bd4ca4b5c6119be08a9cfcc5248d6
SHA256:	d0bbc42f00f4cf1b59db6e2c2b13fe64bdd85c43e8209493b46119fbcc945db8
SHA512:	3d6cecea0aa67f3e875107f408d278c45948ba497def9fc31c5f2bdca74dbb98f6cf84d42c7472842897793e637c8cf12139ac1fabe6d75d43618d43980526d6
SSDEEP:	6144:Xk67U5g5NTax7p9S44HtAs7EgaIgai/rBUEjh7g/+qUMwe/vqtapko+QZKAJ7CZz:d7U25NTaNpkRNA0Jpgdj3VHZ+q7ofZ7U
TLSH:	A2741207B7856A75C90E477EA0B913B917F58F8E183AE7CF5F2A30625EB73414846B80
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f f.................>...(.......\... ...`....@.. ....................................@................................

File Icon


Icon Hash:	6aae8e96b2cce892

Static PE Info

General

Entrypoint:	0x455cbe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66206601 [Thu Apr 18 00:14:57 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x55c68	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x56000	0x2590	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x53cc4	0x53e00	69579747f4d9cebab2b740e02f5148f6	False	0.7464313990312966	data	6.186079411169374	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x56000	0x2590	0x2600	1c19da615ed3207d93f1d4103c61cadd	False	0.4056332236842105	data	5.535057120154688	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5a000	0xc	0x200	a5bcb23a7eb88ed3ec009cc0ed30591f	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x56190	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.3022983114446529
RT_ICON	0x57238	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.5471311475409836
RT_ICON	0x57bc0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.5762411347517731
RT_GROUP_ICON	0x58028	0x30	data	0.875
RT_VERSION	0x58058	0x34c	data	0.4146919431279621
RT_MANIFEST	0x583a4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 06:28:56.581676006 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 18, 2024 06:28:56.581768990 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 18, 2024 06:28:56.581859112 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 18, 2024 06:28:56.590650082 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 18, 2024 06:28:56.590693951 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 18, 2024 06:28:56.810285091 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 18, 2024 06:28:56.810369015 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 18, 2024 06:28:56.814024925 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 18, 2024 06:28:56.814048052 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 18, 2024 06:28:56.814318895 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 18, 2024 06:28:56.858088017 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 18, 2024 06:28:56.864695072 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 18, 2024 06:28:56.912125111 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 18, 2024 06:28:57.111253023 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 18, 2024 06:28:57.111315012 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 18, 2024 06:28:57.111376047 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 18, 2024 06:28:57.117588997 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 18, 2024 06:28:57.915863037 CEST	49731	25	192.168.2.4	46.175.145.107
Apr 18, 2024 06:28:58.920594931 CEST	49731	25	192.168.2.4	46.175.145.107
Apr 18, 2024 06:29:00.920948982 CEST	49731	25	192.168.2.4	46.175.145.107
Apr 18, 2024 06:29:04.936471939 CEST	49731	25	192.168.2.4	46.175.145.107
Apr 18, 2024 06:29:08.511471987 CEST	49732	443	192.168.2.4	172.67.74.152
Apr 18, 2024 06:29:08.511511087 CEST	443	49732	172.67.74.152	192.168.2.4
Apr 18, 2024 06:29:08.511583090 CEST	49732	443	192.168.2.4	172.67.74.152
Apr 18, 2024 06:29:08.515294075 CEST	49732	443	192.168.2.4	172.67.74.152
Apr 18, 2024 06:29:08.515336037 CEST	443	49732	172.67.74.152	192.168.2.4
Apr 18, 2024 06:29:08.736393929 CEST	443	49732	172.67.74.152	192.168.2.4
Apr 18, 2024 06:29:08.736510038 CEST	49732	443	192.168.2.4	172.67.74.152
Apr 18, 2024 06:29:08.738034010 CEST	49732	443	192.168.2.4	172.67.74.152
Apr 18, 2024 06:29:08.738078117 CEST	443	49732	172.67.74.152	192.168.2.4
Apr 18, 2024 06:29:08.738586903 CEST	443	49732	172.67.74.152	192.168.2.4
Apr 18, 2024 06:29:08.780086994 CEST	49732	443	192.168.2.4	172.67.74.152
Apr 18, 2024 06:29:08.818680048 CEST	49732	443	192.168.2.4	172.67.74.152
Apr 18, 2024 06:29:08.864121914 CEST	443	49732	172.67.74.152	192.168.2.4
Apr 18, 2024 06:29:09.039046049 CEST	443	49732	172.67.74.152	192.168.2.4
Apr 18, 2024 06:29:09.039180040 CEST	443	49732	172.67.74.152	192.168.2.4
Apr 18, 2024 06:29:09.039347887 CEST	49732	443	192.168.2.4	172.67.74.152
Apr 18, 2024 06:29:09.041774035 CEST	49732	443	192.168.2.4	172.67.74.152
Apr 18, 2024 06:29:09.519710064 CEST	49733	25	192.168.2.4	46.175.145.107
Apr 18, 2024 06:29:10.530005932 CEST	49733	25	192.168.2.4	46.175.145.107
Apr 18, 2024 06:29:12.545747042 CEST	49733	25	192.168.2.4	46.175.145.107
Apr 18, 2024 06:29:12.959635973 CEST	49731	25	192.168.2.4	46.175.145.107
Apr 18, 2024 06:29:16.548470020 CEST	49733	25	192.168.2.4	46.175.145.107
Apr 18, 2024 06:29:24.561359882 CEST	49733	25	192.168.2.4	46.175.145.107

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 06:28:56.461325884 CEST	63815	53	192.168.2.4	1.1.1.1
Apr 18, 2024 06:28:56.565665007 CEST	53	63815	1.1.1.1	192.168.2.4
Apr 18, 2024 06:28:57.777029991 CEST	52602	53	192.168.2.4	1.1.1.1
Apr 18, 2024 06:28:57.915131092 CEST	53	52602	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 18, 2024 06:28:56.461325884 CEST	192.168.2.4	1.1.1.1	0xe790	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Apr 18, 2024 06:28:57.777029991 CEST	192.168.2.4	1.1.1.1	0xa9b1	Standard query (0)	mail.voivocars.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 18, 2024 06:28:56.565665007 CEST	1.1.1.1	192.168.2.4	0xe790	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Apr 18, 2024 06:28:56.565665007 CEST	1.1.1.1	192.168.2.4	0xe790	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Apr 18, 2024 06:28:56.565665007 CEST	1.1.1.1	192.168.2.4	0xe790	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Apr 18, 2024 06:28:57.915131092 CEST	1.1.1.1	192.168.2.4	0xa9b1	No error (0)	mail.voivocars.com	46.175.145.107	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	172.67.74.152	443	7432	C:\Users\user\Desktop\Leoch-Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-18 04:28:56 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-18 04:28:57 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 18 Apr 2024 04:28:57 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8761e93828a91386-ATL
2024-04-18 04:28:57 UTC	12	IN	Data Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32 Data Ascii: 81.181.57.52

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	172.67.74.152	443	7776	C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-18 04:29:08 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-18 04:29:09 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 18 Apr 2024 04:29:08 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8761e982bc3f44db-ATL
2024-04-18 04:29:09 UTC	12	IN	Data Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32 Data Ascii: 81.181.57.52

Target ID:	0
Start time:	06:28:55
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\Leoch-Purchase Order.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Leoch-Purchase Order.exe"
Imagebase:	0x6d0000
File size:	354'304 bytes
MD5 hash:	3825ED31A02B3D690C3D43A1E3808D1A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1656188733.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1656188733.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1656188733.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1655876034.0000000003A74000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1655876034.0000000003A74000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:28:55
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\Leoch-Purchase Order.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Leoch-Purchase Order.exe"
Imagebase:	0x6b0000
File size:	354'304 bytes
MD5 hash:	3825ED31A02B3D690C3D43A1E3808D1A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2895748774.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2895748774.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2895748774.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	06:29:05
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe"
Imagebase:	0x360000
File size:	354'304 bytes
MD5 hash:	3825ED31A02B3D690C3D43A1E3808D1A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs Detection: 52%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:29:06
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe"
Imagebase:	0x370000
File size:	354'304 bytes
MD5 hash:	3825ED31A02B3D690C3D43A1E3808D1A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:29:06
Start date:	18/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 80
Imagebase:	0x610000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:29:07
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe"
Imagebase:	0xf30000
File size:	354'304 bytes
MD5 hash:	3825ED31A02B3D690C3D43A1E3808D1A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2895870683.000000000334C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2894270079.0000000000436000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2894270079.0000000000436000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2895870683.0000000003321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2895870683.0000000003321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	36.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	55.3%
Total number of Nodes:	114
Total number of Limit Nodes:	0

Executed Functions

Function 00FC0000 Relevance: 13.9, APIs: 9, Instructions: 363
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FC0054: CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 00FC0167

NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 00FC0192
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 00FC01C9
WriteProcessMemory.KERNELBASE ref: 00FC0217
WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 00FC02FD
Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 00FC0355
WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 00FC03A1
Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 00FC03EC
ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 00FC040C

Memory Dump Source

Source File: 00000000.00000002.1655372550.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_Leoch-Purchase Order.jbxd

Similarity

API ID: Process$MemoryThreadWrite$ContextWow64$AllocCreateResumeSectionUnmapViewVirtual
String ID:
API String ID: 2814188497-0
Opcode ID: 27baaa82f41d3ecd19f90e968c06d5af1b057a91fd3cf35e71022df9cdb30d44
Instruction ID: fd19c07b37a09a24d9ab70653e6bbf5e48aafb5dfb5a207aa0ac8cc2fa67ef28
Opcode Fuzzy Hash: 27baaa82f41d3ecd19f90e968c06d5af1b057a91fd3cf35e71022df9cdb30d44
Instruction Fuzzy Hash: BEC10D74690346FFE619B7B09D47F2A37259F46B08F1480ADF3005F1E3CDAA6812A762

Uniqueness

Uniqueness Score: -1.00%

Function 00FC0054 Relevance: 13.8, APIs: 9, Instructions: 322
threadinjectionprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FC0420: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,00FC0083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 00FC043F

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 00FC0167
NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 00FC0192
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 00FC01C9
WriteProcessMemory.KERNELBASE ref: 00FC0217
WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 00FC02FD
Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 00FC0355
WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 00FC03A1
Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 00FC03EC
ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 00FC040C

Memory Dump Source

Source File: 00000000.00000002.1655372550.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_Leoch-Purchase Order.jbxd

Similarity

API ID: Process$MemoryThreadWrite$AllocContextVirtualWow64$CreateResumeSectionUnmapView
String ID:
API String ID: 4009322845-0
Opcode ID: abefd893c78f63ec501357fb14bf61d80a739cae84c00b71e3bd370fcc70d613
Instruction ID: e6763e2887ae047884a9ca30ad5db9574be0e998f8129c267e960c28b9943c64
Opcode Fuzzy Hash: abefd893c78f63ec501357fb14bf61d80a739cae84c00b71e3bd370fcc70d613
Instruction Fuzzy Hash: 20A1CC74690206FFE519F7F1DE47F2A36159F85B08F20816CF3006F1D2CDAA6D22A661

Uniqueness

Uniqueness Score: -1.00%

Function 00F405B4 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcA.USER32(?,00000000,?,?,FFFFFFFF), ref: 00F41053

Memory Dump Source

Source File: 00000000.00000002.1655272448.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Leoch-Purchase Order.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: dcac7cb18ff3aa98516fedc662d4f72786e598877744baaf52eebbd2fec1ffff
Instruction ID: ebe69a99333bc04a9972500705d73f105769065cffe6e8e82dece9637128cf6e
Opcode Fuzzy Hash: dcac7cb18ff3aa98516fedc662d4f72786e598877744baaf52eebbd2fec1ffff
Instruction Fuzzy Hash: 4411D7B5900649DFCB10DF99C844BDEBFF4FB48320F108419EA58A7250C775A944DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F40FE7 Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcA.USER32(?,00000000,?,?,FFFFFFFF), ref: 00F41053

Memory Dump Source

Source File: 00000000.00000002.1655272448.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Leoch-Purchase Order.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 002395d4f706b0276fdaf4fc501a6d5796c8a1f4f93b2f9cc08c925eb6c7a99f
Instruction ID: ed719cf0fb8959466c22ff0b5a166ae5b484ce048bac0fd235cd8a0527b74da3
Opcode Fuzzy Hash: 002395d4f706b0276fdaf4fc501a6d5796c8a1f4f93b2f9cc08c925eb6c7a99f
Instruction Fuzzy Hash: D011E6B5900249DFCB10DF99D844BDEBFF4FB48320F208419E559A7250C375A584CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F40CE0 Relevance: 1.3, APIs: 1, Instructions: 47
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 00F40D48

Memory Dump Source

Source File: 00000000.00000002.1655272448.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Leoch-Purchase Order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2ba029bdd8e40d2da2f98273b833564dac506fb4cab259da58d2a52320bbde14
Instruction ID: f0d2aa6e5d401a9ff3d8cad9f7740872a7245aaf295e128f5ea65fbcc6f9dcac
Opcode Fuzzy Hash: 2ba029bdd8e40d2da2f98273b833564dac506fb4cab259da58d2a52320bbde14
Instruction Fuzzy Hash: 2A11F2B59002489FCB10DF9AC884BDEFFF8EB48320F208419E958A7250C775A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F40CDF Relevance: 1.3, APIs: 1, Instructions: 47
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 00F40D48

Memory Dump Source

Source File: 00000000.00000002.1655272448.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_Leoch-Purchase Order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 45ed66279859901f8fbe97bf594148f07e44fcf13abddfebbcaf560e0489157a
Instruction ID: 950f3440527f9894385a0225e5520880350b6bc4c3fb171778d862facfafd471
Opcode Fuzzy Hash: 45ed66279859901f8fbe97bf594148f07e44fcf13abddfebbcaf560e0489157a
Instruction Fuzzy Hash: EC11F2B59002489FCB20DF9AD884BDEFFF4EB48320F208419E959A7250C775A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FC0420 Relevance: 1.3, APIs: 1, Instructions: 15
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,00FC0083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 00FC043F

Memory Dump Source

Source File: 00000000.00000002.1655372550.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_Leoch-Purchase Order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
Instruction ID: 50dbd9306bdfc6d84441e58e0ec1c8e5204bb51d7e621a2ac9f1bbaff3abe735
Opcode Fuzzy Hash: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
Instruction Fuzzy Hash: EFD02270184302FAF205FBB14D03F0A3680AF40B0AF40081CF304380E2CDBE981A2256

Uniqueness

Uniqueness Score: -1.00%

Function 00CED6CD Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1654831260.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ced000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dafd4accf59f1b7249e5b2d6d98c6652f51366f037dc8d9b221c925f74ef15a2
Instruction ID: d9983b30a900008c278fa3091b2741addc1849112252062c2edbd5e451750af3
Opcode Fuzzy Hash: dafd4accf59f1b7249e5b2d6d98c6652f51366f037dc8d9b221c925f74ef15a2
Instruction Fuzzy Hash: 8D01DB710083809AE7105F17CDC4767FFDCEF41324F18C92AED1A4A18AC679D940CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00CED6CC Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654831260.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ced000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7179af816175c9b27fb830b38316168cc803905e98ff0c17b9f11945ce263f6
Instruction ID: 9de22ddfc2ca005b3751a69311c1f2881bdcee6fab03435a6390b7477619d224
Opcode Fuzzy Hash: c7179af816175c9b27fb830b38316168cc803905e98ff0c17b9f11945ce263f6
Instruction Fuzzy Hash: AAF06271404384AEE7109B16CD84B66FFA8EF51724F18C45AED594A28AC2799845CA71

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Leoch-Purchase Order.exePID: 7432, Parent PID: 7408COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2%
Total number of Nodes:	147
Total number of Limit Nodes:	10

Executed Functions

Function 066F3578 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066F3CC4
$^q, xrefs: 066F3CD0
$^q, xrefs: 066F3C83
$^q, xrefs: 066F3CA0
$^q, xrefs: 066F3CAC
$^q, xrefs: 066F3C77

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: e82a68afd4530c58e2c913dfba133e3812704e8d50acd31df4bcaf393acee03d
Instruction ID: 658d7ce8ca38a10987cb733564f9c0f589998fd4ec974183ea5dbc6f69a084cb
Opcode Fuzzy Hash: e82a68afd4530c58e2c913dfba133e3812704e8d50acd31df4bcaf393acee03d
Instruction Fuzzy Hash: F1321D31E2061A8FCB54EF75C89459DB7B6BF89300F14C6A9D509BB364EB30AD85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 066F7E50 Relevance: 3.0, Strings: 2, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066F83F7
$^q, xrefs: 066F83EB

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 15fcecad2ca0c5325a01bdaa55db3003af67b2225080bf8994b456a346cf41b2
Instruction ID: 518feb35cd75eb2b7e01922016e8ecd7f89ed99ef28848ea8e80c6d00f90b9ce
Opcode Fuzzy Hash: 15fcecad2ca0c5325a01bdaa55db3003af67b2225080bf8994b456a346cf41b2
Instruction Fuzzy Hash: 0002AE31B102059FDB54DB68D980AAEBBF2FF84304F148569E505EB394DB35EC86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0164ACF0 Relevance: 2.9, Instructions: 2916COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2895489172.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1640000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c96bc5d40636394d7eea2952d099f8b2b1271867b17fedf2724f7f46a613e0
Instruction ID: 5c65417908433c44620b76a006228082b0ff493f5c29224897b15b6edce47b3c
Opcode Fuzzy Hash: 89c96bc5d40636394d7eea2952d099f8b2b1271867b17fedf2724f7f46a613e0
Instruction Fuzzy Hash: AC63E831D10B1A8EDB51EB68C880599F7B1FF99300F15D79AE458B7221EB70AAC5CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0164EB00 Relevance: 2.8, Strings: 2, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xbq, xrefs: 0164EC17
$^q, xrefs: 0164EBFE

Memory Dump Source

Source File: 00000001.00000002.2895489172.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1640000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: cf9bed7a31870ec440ff63aca51199c658f54077bc854eaf061bbc4623508f59
Instruction ID: 5f3115f6928eb9311c58de0106c7261fde254f04e4515c237b5aa44c7cb8dec7
Opcode Fuzzy Hash: cf9bed7a31870ec440ff63aca51199c658f54077bc854eaf061bbc4623508f59
Instruction Fuzzy Hash: 85B1C674B042189BDB18AF799C6467E7BB7BFC8710B04892EE446D7398CE35CC029796

Uniqueness

Uniqueness Score: -1.00%

Function 066F0040 Relevance: 2.1, Instructions: 2076COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a735248b930427bcb143fdbe4b9681e327e556993ba40e373635e9ea80430f4
Instruction ID: e8981b8f07b16aa96b91348cc916e125b99b3d5eb12740d40f3bda399a583a96
Opcode Fuzzy Hash: 8a735248b930427bcb143fdbe4b9681e327e556993ba40e373635e9ea80430f4
Instruction Fuzzy Hash: 10230B31D20B198ECB15EF68C89059DF7B1FF99300F14D69AE558B7221EB70AAC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 066F66C0 Relevance: .8, Instructions: 821COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7864bba57ead5a452e8d02eb134b5dc001913cba04f8138d6c3151d7ebcb9820
Instruction ID: 0ddf731fedc54005e34505d96c41d6fb8db31e5d60095faf6be7f5a01b280afa
Opcode Fuzzy Hash: 7864bba57ead5a452e8d02eb134b5dc001913cba04f8138d6c3151d7ebcb9820
Instruction Fuzzy Hash: 8062E230B102049FDB54DB68D994AADBBF2FF88314F148469E50AEB354DB35ED86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 066FC258 Relevance: .6, Instructions: 646COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef93218dedb635184df6b599d0fe0d79c47e2f25f76c4acc9a1381f355660fcd
Instruction ID: 1e4ede25b5e9a68c914b56ee6e656ddbc81642509f432c7e568c38e060dfeaeb
Opcode Fuzzy Hash: ef93218dedb635184df6b599d0fe0d79c47e2f25f76c4acc9a1381f355660fcd
Instruction Fuzzy Hash: 8732AF35B202099FDB54DB68E990BAEBBB2FB88310F108529E505E7354DB35EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 066F56B0 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f3402ae056520cc0d2a67411278b678606ee669d0f3c72791dd43fad8d2806
Instruction ID: 276f8ce9b017d4a3c1691f04f62931e47ae6c9d5e10f6ff0081212cba851f5f5
Opcode Fuzzy Hash: 18f3402ae056520cc0d2a67411278b678606ee669d0f3c72791dd43fad8d2806
Instruction Fuzzy Hash: 92121531F202159BDF24DF64D8806AEB7B2EB95310F208429EA5BDB345CB34EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 066FB2FF Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b741cfe5bb70faea1b77764a012c8ed38572d97ae42a4192fe75503a00effa71
Instruction ID: 26c89cc0da31dfb121b310c25fab64c3c9672b09b7e7836ee6dc5c1d47964528
Opcode Fuzzy Hash: b741cfe5bb70faea1b77764a012c8ed38572d97ae42a4192fe75503a00effa71
Instruction Fuzzy Hash: BE227230E202099FDF64DF68D9807ADB7B6FB85310F248826E509EB395DA35DC81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01644AA8 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2895489172.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1640000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261d2d0f31d54fb0909ee4e0dc7acc23d88b2ac923ad847f11fcaadfa02d894e
Instruction ID: 50c1bf3d6800c6a61f73f9987dac1ff1dc6df4f71238faa1f3328957a243f6e3
Opcode Fuzzy Hash: 261d2d0f31d54fb0909ee4e0dc7acc23d88b2ac923ad847f11fcaadfa02d894e
Instruction Fuzzy Hash: 93B14B71E002198FDB14CFA9DC827DDBBF2AF88314F188529D855A7394EF749885CB85

Uniqueness

Uniqueness Score: -1.00%

Function 066EA8B4 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900655022.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66e0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b82dcfc28b8469c59fe274c11301c711bbc865d20203f274552d75459780855
Instruction ID: c835628353951194e7427de3556799288954c253c7798da179a5d06c8d9d57c6
Opcode Fuzzy Hash: 7b82dcfc28b8469c59fe274c11301c711bbc865d20203f274552d75459780855
Instruction Fuzzy Hash: 09A18F75E003199FCB44DFA4D884ADDFBBAFF89310F148219E419AB3A4DB30A946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01643E90 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2895489172.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1640000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac79d1feed583f2299451bfb6920fbbbe054b4c389722cfd985ffc5d77aab7e
Instruction ID: b1bc051b79bd1806193cee0aae26760f17a71d9f4998c3fc70c43fa398940956
Opcode Fuzzy Hash: 5ac79d1feed583f2299451bfb6920fbbbe054b4c389722cfd985ffc5d77aab7e
Instruction Fuzzy Hash: 29914A70E002199FDF14CFA9C9857EEBBF2BF98714F148129E855A7394EB349885CB81

Uniqueness

Uniqueness Score: -1.00%

Function 066EDBF0 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900655022.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66e0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8134afef3092af5387b828ec438abb5b4e242686e5bf655448c5623a7afb4c08
Instruction ID: a35f56837deb72de3f01b86428fea303615a1aa53e29e54c11907299068a81a4
Opcode Fuzzy Hash: 8134afef3092af5387b828ec438abb5b4e242686e5bf655448c5623a7afb4c08
Instruction Fuzzy Hash: 4D917F75E0031ADFCB44DFA0D8449DDFBBAFF99310B148215E519AB3A4DB70A986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 066FADA8 Relevance: 10.4, Strings: 8, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066FAF74
$^q, xrefs: 066FAEC9
$^q, xrefs: 066FAED5
$^q, xrefs: 066FAF57
$^q, xrefs: 066FAF4B
$^q, xrefs: 066FAF80
$^q, xrefs: 066FAF28
$^q, xrefs: 066FAF1C

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 5d15e2dcedb9cf4fb6211c432710c1887800c94473850ac07c84cec69518f839
Instruction ID: 6bb15b9e12f7f2dd229d1e4f22c002946296a33a8f778cfeb75c6d45764f81b8
Opcode Fuzzy Hash: 5d15e2dcedb9cf4fb6211c432710c1887800c94473850ac07c84cec69518f839
Instruction Fuzzy Hash: 08E15030E202098FCB65DFA9D9846AEB7B2FF85304F108529E509EB354DB75DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 066FB720 Relevance: 8.0, Strings: 6, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066FBC71
$^q, xrefs: 066FBC7D
$^q, xrefs: 066FBCA5
$^q, xrefs: 066FBCE5
$^q, xrefs: 066FBCD9
$^q, xrefs: 066FBCB1

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 51075c17f5e3e341f446713ce2be041c692843157e6bce145b5547e3da4a35ee
Instruction ID: 4d02d94b71d6c7969fbe21c63e3166c3350d0f4c1a54879f5cf4e08483481d8f
Opcode Fuzzy Hash: 51075c17f5e3e341f446713ce2be041c692843157e6bce145b5547e3da4a35ee
Instruction Fuzzy Hash: C7026B30E202098FDBA4DF68D4807ADB7B2FB85310F24856AE515EB355DB31ED86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 066F9220 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066F92CB
$^q, xrefs: 066F929C
$^q, xrefs: 066F92D7
$^q, xrefs: 066F9290

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 2a6c8c0946e3eea8b54fba4d6bf6c415fe924e1925cc8a969f3cb76b00461342
Instruction ID: bda1d60e689c32cfef336547cd3fdd8a10f25ff8ad83fcf70bcf77ada0498928
Opcode Fuzzy Hash: 2a6c8c0946e3eea8b54fba4d6bf6c415fe924e1925cc8a969f3cb76b00461342
Instruction Fuzzy Hash: 42916E31B2020A9FDB54DB64D8507AEB3F6AF89704F108569D509EB348EF31DD468B91

Uniqueness

Uniqueness Score: -1.00%

Function 066FD020 Relevance: 4.6, Strings: 3, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066FD417
$^q, xrefs: 066FD42B
$^q, xrefs: 066FD41F

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: d5b12431af43744cdbfe655de3cec69387665e41a679a379326a75b59487267c
Instruction ID: 0462a6d2ef0eee2e1d1edafb0f8f4b6ceb4c2b497db04e15edaa44b7a7157ced
Opcode Fuzzy Hash: d5b12431af43744cdbfe655de3cec69387665e41a679a379326a75b59487267c
Instruction Fuzzy Hash: D8622E34A102059FCB55EB68D580A5EB7F2FF85314F248A69D005DF369EB71ED8ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 066F4C80 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 066F4DAD
fcq, xrefs: 066F538D
\Ocq, xrefs: 066F4E37

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: f6ddb4f981daced0d30b2587ae3d68724e4154f2b74f5b1d68f540d63164d84b
Instruction ID: f53b3c4bc48ffe327e631e2374cc72472a87b7b74931592813fc6e84f9b937c9
Opcode Fuzzy Hash: f6ddb4f981daced0d30b2587ae3d68724e4154f2b74f5b1d68f540d63164d84b
Instruction Fuzzy Hash: 22617231F102099FEB559FA9C8547AEBBF2EF88700F208429E106AB395DF758D458B91

Uniqueness

Uniqueness Score: -1.00%

Function 066F9212 Relevance: 2.7, Strings: 2, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066F92CB
$^q, xrefs: 066F9290

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: cc5585edf6470beee2e77dd7c53a42c5b98bf3454781ae5ea2ca3834f2367348
Instruction ID: 727ac8ef883c63d010a410ffb7ff8bb08b9f5312412a21fecaaffda0a215fb6c
Opcode Fuzzy Hash: cc5585edf6470beee2e77dd7c53a42c5b98bf3454781ae5ea2ca3834f2367348
Instruction Fuzzy Hash: AE515D30B201059FDB94DB78D890BAEB3E6AF89744F108569D509EB388EF31DC428B95

Uniqueness

Uniqueness Score: -1.00%

Function 066EB708 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2900655022.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66e0000_Leoch-Purchase Order.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4c51e3d588a76479d6d8a633efba85330be3d7860726df940b0f4a61403aab53
Instruction ID: d7caf7566fe77289ae15fbd53ba590bdc954b4a80ea827939d771bce229deb50
Opcode Fuzzy Hash: 4c51e3d588a76479d6d8a633efba85330be3d7860726df940b0f4a61403aab53
Instruction Fuzzy Hash: 76713170A01B058FDBA4DF2AD54475ABBF1BF88304F008A2DE48AD7B50DB75E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0164EF9B Relevance: 1.6, APIs: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2895489172.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1640000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ceb2b8ecd2a8cd9e4e378fbf1efc37ddbba100527aa64cd676aaa10b18f688
Instruction ID: e34826c16582080c31b1d467c76cd3fe0bb4c517ebe46af4ffd68d6be1bd0d74
Opcode Fuzzy Hash: c9ceb2b8ecd2a8cd9e4e378fbf1efc37ddbba100527aa64cd676aaa10b18f688
Instruction Fuzzy Hash: 4A414071E043859FCB14CFB9E8406EEBFF1AF89310F1485AAE504A7252DB749884CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 066ED8E4 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066EDA02

Memory Dump Source

Source File: 00000001.00000002.2900655022.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66e0000_Leoch-Purchase Order.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8768c53e0f9427a92f59c4a3f97224a7af2ca394b86572a44af7f8ec0de8db1c
Instruction ID: 0acb294fbd3dd8389cf482e5eac24a49a8c3c15f45aca814f7986e70c0e13dd2
Opcode Fuzzy Hash: 8768c53e0f9427a92f59c4a3f97224a7af2ca394b86572a44af7f8ec0de8db1c
Instruction Fuzzy Hash: 9751D0B1D00349EFDB14CFA9C984ADEBBB5BF48310F24812AE819AB250D7719945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 066ED8F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066EDA02

Memory Dump Source

Source File: 00000001.00000002.2900655022.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66e0000_Leoch-Purchase Order.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4724575f2f12fc44042a44795cd779443b9af8953e2fef340a21c4149f88d7a6
Instruction ID: 23a523c8349a4ce19da3e6d443b2a5addff25854bd4d4033c6f577bba93a54ca
Opcode Fuzzy Hash: 4724575f2f12fc44042a44795cd779443b9af8953e2fef340a21c4149f88d7a6
Instruction Fuzzy Hash: D141D2B1D00309EFDB14CFA9C884ADEBBB5FF48310F24812AE818AB210D7759945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 066E3410 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 066E349F

Memory Dump Source

Source File: 00000001.00000002.2900655022.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66e0000_Leoch-Purchase Order.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f98f3c3056998f207f0ad1ef87b06f7b725607c04f82dae2b733dde233632fe6
Instruction ID: eb0fb312719e44450baf84c333b72748946f2c495c2bc99d31f3694bc78bb206
Opcode Fuzzy Hash: f98f3c3056998f207f0ad1ef87b06f7b725607c04f82dae2b733dde233632fe6
Instruction Fuzzy Hash: 392105B5D00208EFDB10CFAAD984ADEBBF9EB48310F14841AE914A7310D375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 066E3418 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 066E349F

Memory Dump Source

Source File: 00000001.00000002.2900655022.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66e0000_Leoch-Purchase Order.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b35f7a7f2396704c9481bb8ea8f755cc70ca18811d290ed305831b4d251cdcfb
Instruction ID: ca88da3970b87017c204111ff04584e2fd5397dd937aeca25c88df55579234f4
Opcode Fuzzy Hash: b35f7a7f2396704c9481bb8ea8f755cc70ca18811d290ed305831b4d251cdcfb
Instruction Fuzzy Hash: B921E6B5900218DFDB10CFA9D584ADEFBF4FB48310F14841AE954A7310D375A944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 01648071 Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 016480E8

Memory Dump Source

Source File: 00000001.00000002.2895489172.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1640000_Leoch-Purchase Order.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 8d11bcb88db4606ad322011170e522c3eec5d3010e41aa3065de57f8c7ad3b5b
Instruction ID: b67a3ce2d1f5c4dbf63a296f3c2a7b68b99c3dd5183ee754ea1dccfe00f3426a
Opcode Fuzzy Hash: 8d11bcb88db4606ad322011170e522c3eec5d3010e41aa3065de57f8c7ad3b5b
Instruction Fuzzy Hash: F72158B6C006199BCB14DF9AC8447EEFBF4FF08720F108129D918A7240D778A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01648078 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 016480E8

Memory Dump Source

Source File: 00000001.00000002.2895489172.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1640000_Leoch-Purchase Order.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 6c5286313c72fab36b7866bf9e6fd20c8f7cb2930545a12370af17ecba50e7da
Instruction ID: 20fb7b9897a13f2ad5cd565ac116b6c8453ec60c1df0811091c5071ee04d8313
Opcode Fuzzy Hash: 6c5286313c72fab36b7866bf9e6fd20c8f7cb2930545a12370af17ecba50e7da
Instruction Fuzzy Hash: 861133B1C0061A9BCB14CF9AC944BAEFBB4FB48720F10812AD818A7250D778A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 066EBB59 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 066EBBCA

Memory Dump Source

Source File: 00000001.00000002.2900655022.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66e0000_Leoch-Purchase Order.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 46f658a8c26939c4b50c80536d70a3b5625d822a54f549b9fd51be127dcc3036
Instruction ID: 646bb7683a570694ed7c4f2ed0acb2f8786f3737692a72612647ae1319a10a5d
Opcode Fuzzy Hash: 46f658a8c26939c4b50c80536d70a3b5625d822a54f549b9fd51be127dcc3036
Instruction Fuzzy Hash: 9A1126B6D003099FDB10CFAAC985ADEFBF4EB48310F14842AE419A7210C775A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0164F080 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0164F0E7

Memory Dump Source

Source File: 00000001.00000002.2895489172.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1640000_Leoch-Purchase Order.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 8c9d5cd547f4a18192e684ef1559a6c34aa859bbf0be08290724e70cae53efd9
Instruction ID: a07eeaee3c43acd4d791a3c791b7ac1c18263dfe7359a131617237a2f096b581
Opcode Fuzzy Hash: 8c9d5cd547f4a18192e684ef1559a6c34aa859bbf0be08290724e70cae53efd9
Instruction Fuzzy Hash: FF1123B1C002599BCB10DFAAC444BDEFBF4BF48320F10816AD818A7250D778A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 066EBB60 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 066EBBCA

Memory Dump Source

Source File: 00000001.00000002.2900655022.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66e0000_Leoch-Purchase Order.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ddf049f9877d5c8ac61b2b272c3c920dc067f5f7783b8d58fb506c4fe8b718ce
Instruction ID: 20fd229288f716959634961ba10e364179a248df0a7bc51ca7aad3d09b1aae2a
Opcode Fuzzy Hash: ddf049f9877d5c8ac61b2b272c3c920dc067f5f7783b8d58fb506c4fe8b718ce
Instruction Fuzzy Hash: FA1104B6D003099FDB10CF9AC984ADEFBF4EB88310F14842AD459A7710C775A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 066EA6A8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,066EB724), ref: 066EB95E

Memory Dump Source

Source File: 00000001.00000002.2900655022.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66e0000_Leoch-Purchase Order.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0a0a698dd15aea82c0ce8ab6f927739a979a31d3897350d24e7ec75dbfaaeed5
Instruction ID: 4a18dc1fbd82351024a3bb14e68602823abe7f8c7525508f73db4672ad382458
Opcode Fuzzy Hash: 0a0a698dd15aea82c0ce8ab6f927739a979a31d3897350d24e7ec75dbfaaeed5
Instruction Fuzzy Hash: 3D11FDB5C01349DFDB20DF9AD584A9EFBF4EB88324F10842AD869A7310D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 066F4C71 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

XPcq, xrefs: 066F4DAD

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: XPcq
API String ID: 0-714321711
Opcode ID: 687b6a5f8d0929154e2250c6d7c3bb8df5881ee84fe885a5d700f78d108963b4
Instruction ID: 1e4d08922a1195e411427eba6ab30e099fe0b4044b4d7283d71bdc8b74a18c22
Opcode Fuzzy Hash: 687b6a5f8d0929154e2250c6d7c3bb8df5881ee84fe885a5d700f78d108963b4
Instruction Fuzzy Hash: FD418D30F102089FDB559FA9C854BAEBBF7EF88700F20852AE105AB395DF758D418B91

Uniqueness

Uniqueness Score: -1.00%

Function 066FDB95 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

PH^q, xrefs: 066FDCF1

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 0b6e3ac1aac322cbd24d0577f1de4d8f31a817e72d56912ab26e7df680fa042d
Instruction ID: 8944a9453d3edcdadbd19fa3576c46790805e96551e6386aa49b2798bce11636
Opcode Fuzzy Hash: 0b6e3ac1aac322cbd24d0577f1de4d8f31a817e72d56912ab26e7df680fa042d
Instruction Fuzzy Hash: 6641B070E1020A9FDB55DF65C89469EBBB6EF85340F20492AE506EB340DF71E846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 066F21BD Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

PH^q, xrefs: 066F230B

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 84e80b0b273108dc98923f7c4a569fa4a76a21723095ffe36fb585ae4e16654a
Instruction ID: 1de3e0cac289e5e6a515b59bc3218023c309228ceccc6615b79ef4a7390a7b85
Opcode Fuzzy Hash: 84e80b0b273108dc98923f7c4a569fa4a76a21723095ffe36fb585ae4e16654a
Instruction Fuzzy Hash: D0412530B242058FCB499BB4C82426E7BE7AF89200F144569D606DB395DF36DE42CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 066F21D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 066F230B

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 91c42fb81307de43917fe1bd4d9a49251597bd95e5574bd60e8e06ff57024888
Instruction ID: 00f3c56d1542460d161a4a70ccb8d415d5bd14017d1b702fc6c6195020f24b1e
Opcode Fuzzy Hash: 91c42fb81307de43917fe1bd4d9a49251597bd95e5574bd60e8e06ff57024888
Instruction Fuzzy Hash: 8B312231B202058FCB49ABB4C92466F7BE7AF89304F204428D106DB394DF36DE42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 066F83A0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$^q, xrefs: 066F83EB

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 4f0edfd917d6a105b3f0a806f593afc79235718b90c3b764192b75174001691d
Instruction ID: 790c391eafe7c9e14e8b12efb9947318fc00300d91b4842ff120a7692ea8ccc6
Opcode Fuzzy Hash: 4f0edfd917d6a105b3f0a806f593afc79235718b90c3b764192b75174001691d
Instruction Fuzzy Hash: B6F0C232B241119FDF649F94E9806A8B7B8EB40314F1444BEEA05DB355CB31ED17CB90

Uniqueness

Uniqueness Score: -1.00%

Function 066F4B69 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 066F4B75

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: fe2a379b685610dfe538ebfb9fb7b4edb725f7f48506b398188d4e18afcdf09a
Instruction ID: d4606df1dbf69744b16680a2850457f0a90411a44bcc85ad67523c9c16732d3d
Opcode Fuzzy Hash: fe2a379b685610dfe538ebfb9fb7b4edb725f7f48506b398188d4e18afcdf09a
Instruction Fuzzy Hash: 53F0DA30E20129DBDB14DF94E9997AEBBB2FF88714F204519E502A7795CB741D05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 066F62B8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572871a4ff8bac0f0e386f3fd2f04fb397d4be75628a9c9f4c10ff7a51abd140
Instruction ID: 1f4fb3e75a58cd56cd65fa431e2ffd40ad09645fb263dbaff9b80c0740800c40
Opcode Fuzzy Hash: 572871a4ff8bac0f0e386f3fd2f04fb397d4be75628a9c9f4c10ff7a51abd140
Instruction Fuzzy Hash: 1E61C172F100214FCB109B7DC88466FAAD7AFC5624B25443AE90EDB364DEA6DD0287C2

Uniqueness

Uniqueness Score: -1.00%

Function 066F43B0 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2f22727689ed438d92ba484d30e8ac78b3b0c61dd1e54a02e357b234d5939ad
Instruction ID: 9a0948eff3263c593d0d2a19065d69a11f02ca577cf1089683042625494f9a0f
Opcode Fuzzy Hash: b2f22727689ed438d92ba484d30e8ac78b3b0c61dd1e54a02e357b234d5939ad
Instruction Fuzzy Hash: A5814F30B102059FDF54DFA9D5906AEB7F6AF89304F108425E50AEB795EF30EC468B91

Uniqueness

Uniqueness Score: -1.00%

Function 066F46D0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d7b5b0d51f2d1fe6625eb3abf5b09705dc6c837bd730c4bd49f8407a876f60
Instruction ID: 93c422495a82c998f6c172074c8f7632b63a2db27969673f6737e016932d145b
Opcode Fuzzy Hash: 75d7b5b0d51f2d1fe6625eb3abf5b09705dc6c837bd730c4bd49f8407a876f60
Instruction Fuzzy Hash: 51915E30E102198FDF60DF68C890B9EB7B1FF89314F208599D549AB395DB70AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 066F46E8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3952eb20dd4052e9134b88ad5b5e288889c65f1fb12cff4b7155f13b0d4f3ed9
Instruction ID: 93575441a85d21e234624f1d32d25faa754fdbebfc01335ebe7f6f32f4cbe6ba
Opcode Fuzzy Hash: 3952eb20dd4052e9134b88ad5b5e288889c65f1fb12cff4b7155f13b0d4f3ed9
Instruction Fuzzy Hash: CA914E30E102198BDF60DF68C980B9EB7B1FF89310F208599D559BB355DB70AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 066FEFF8 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778691bca13e6bec812b24ea64b1a3cc8b2d4e43a497b22f497c5f6914000ab0
Instruction ID: bf450ab561c047ed75e32e141fef8ee5da77179fc2cb784ce42338a6d899d34b
Opcode Fuzzy Hash: 778691bca13e6bec812b24ea64b1a3cc8b2d4e43a497b22f497c5f6914000ab0
Instruction Fuzzy Hash: 5F716A30A102499FDB54DFA8D980A9EBBF6FF88300F248429E105EB355DB31ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 066FF008 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0699a044a33c7a455fb99de1147cd77430298d1ee0949f44a130d82992c0354b
Instruction ID: 0db2ad9bd73ca2ee0f097a68108b86ad8532bfff2f9ed263ccf38b542d7c1ba2
Opcode Fuzzy Hash: 0699a044a33c7a455fb99de1147cd77430298d1ee0949f44a130d82992c0354b
Instruction Fuzzy Hash: 3D714B70A102099FDB54DFA9D980A9DBBF6FF88300F248429E105EB355DB31ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 066FFD60 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e7211e78a97acf36b62c10058bef0a5f50c911e83e983bb2a69fa06a56ddaf
Instruction ID: faa8562dd24fcebe33ac3c4e28157fe2f1509133f417f5be8813a36e29815f37
Opcode Fuzzy Hash: 51e7211e78a97acf36b62c10058bef0a5f50c911e83e983bb2a69fa06a56ddaf
Instruction Fuzzy Hash: 3F51E231E11105AFCBA4EFB8E8946ADBBB2FF85315F10486AE206D7350DF358956CB81

Uniqueness

Uniqueness Score: -1.00%

Function 066FFB0F Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4598938c2273f435e5a867a1e069356c06dda720ddf95fa4dbd1325b3eb131
Instruction ID: 287110f64f8b3be5c2bc498d041e17a51307c1a115bbf14603f71691a0121310
Opcode Fuzzy Hash: 2a4598938c2273f435e5a867a1e069356c06dda720ddf95fa4dbd1325b3eb131
Instruction Fuzzy Hash: 4B51DB34B202149FEFA4677CD99476F265FD789310F20092AF60AD73D5CA79CC5683A2

Uniqueness

Uniqueness Score: -1.00%

Function 066FFB20 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc2cf965ebf69a74bf28a7a313ebf9df83e63dfd7fd588ee79b28a4203f77a1
Instruction ID: 8f06de885f8611bab03ab6ceeb2508d250efa74b7865c91b6ce4be6da9fe8aa6
Opcode Fuzzy Hash: bbc2cf965ebf69a74bf28a7a313ebf9df83e63dfd7fd588ee79b28a4203f77a1
Instruction Fuzzy Hash: A051C834B202159FEFA4677CD99476F255FD789310F20082AE60AD73D8CA79CC5683A2

Uniqueness

Uniqueness Score: -1.00%

Function 066F5528 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23467d46aa77b7722ffc3621d9d961aad5c5d4c54505f404851fe35dfd1ecc17
Instruction ID: 7394ae7b88b562564383771dc059e09deff688248bef92a9723da1c74cee525b
Opcode Fuzzy Hash: 23467d46aa77b7722ffc3621d9d961aad5c5d4c54505f404851fe35dfd1ecc17
Instruction Fuzzy Hash: CF415E71E106099FDF70CFA9D880AAFFBB2EB95310F10492AE256D7654D730EC498B91

Uniqueness

Uniqueness Score: -1.00%

Function 066FDA48 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc4eeab13433de9e1e4c7f68989fec7558d7147968270195408faadc1baed99
Instruction ID: 226a6d3cd4801dba8e6af2820c40265d3e73a2dc7e69ebefb065e105cabea2bc
Opcode Fuzzy Hash: 8bc4eeab13433de9e1e4c7f68989fec7558d7147968270195408faadc1baed99
Instruction Fuzzy Hash: F3319030E142099FCF15DF65D98069EBBB2EF85304F104929E505E7354EB70F94ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 066F2080 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a0c08d6124ddb3e491a181d040da3c693ebbb2d9e9dd0e96e3c17d0c102e57
Instruction ID: 35c6a86c969f03969d616a643ac05768d4226329aa62243b858083778bf638c1
Opcode Fuzzy Hash: f8a0c08d6124ddb3e491a181d040da3c693ebbb2d9e9dd0e96e3c17d0c102e57
Instruction Fuzzy Hash: C0317031E142059BCF55DFA4D8A469EB7B6BF89300F108529EA06E7390DB71ED46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 066F3FB9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc960e59222532fe32e2e90dc95119661f8f2ef305be173b0cab87e3d2b75cf
Instruction ID: f49b98b586ce7cd9d4d2cb3ee09a3f0b1cc583c15cd56cfb289f91840f7087d5
Opcode Fuzzy Hash: 3bc960e59222532fe32e2e90dc95119661f8f2ef305be173b0cab87e3d2b75cf
Instruction Fuzzy Hash: 5B218D36F102059FDB41DFB9D840AAEBBF5AB88250F048025E915E7385E731E952CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 066F3FC8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114e7b0ff4a6718164d0349e82c619d0d5ea956544752f5150f7652b9b197436
Instruction ID: 30728400c76eb3575f5d49654d38eb71b72d5ec47a4bb6d253900b2a2e41b9fd
Opcode Fuzzy Hash: 114e7b0ff4a6718164d0349e82c619d0d5ea956544752f5150f7652b9b197436
Instruction Fuzzy Hash: A3219C76F102059FDB50DF68D940AAEBBF5FB48250F108029EA05E7384E731DC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F2D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2895211109.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f2d000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15527d0a657713d66cf27868c4bb6a55cb34d1cf8e9765cb3aa25f52472ca465
Instruction ID: 2dceecb4141308f773c32b9e1320cffc92071cbf1da4a6e3eadc720bdd36f4a5
Opcode Fuzzy Hash: 15527d0a657713d66cf27868c4bb6a55cb34d1cf8e9765cb3aa25f52472ca465
Instruction Fuzzy Hash: 4B212671504204DFDB14DF14E9C0B26BBA5FB84324F34C66DD94A4B2AAC33AD847EA62

Uniqueness

Uniqueness Score: -1.00%

Function 00F2D005 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2895211109.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f2d000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c7da19aa66dcb74f6c4ef3bbfc395b939f5be597c0d59b0fdfb998a978e7df
Instruction ID: a72714a8b096563b431f222fe0d29c7492d1440ab07cf87345fc94c56077bc75
Opcode Fuzzy Hash: 01c7da19aa66dcb74f6c4ef3bbfc395b939f5be597c0d59b0fdfb998a978e7df
Instruction Fuzzy Hash: 9F215C7150D3C09FC703CB24D994711BF71EB46224F29C5DBD8898F2A7C23A981ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 066F3568 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d447b020616bab55565941737fc57ef3d5f9c124c01be61428d5045a043fb605
Instruction ID: 360423b7d0bc59eb2c435cf2c793c6c90517d6d2ad08d22bd4d85fa24da13a9c
Opcode Fuzzy Hash: d447b020616bab55565941737fc57ef3d5f9c124c01be61428d5045a043fb605
Instruction Fuzzy Hash: 4121F071E002185FCB54DB79D8406DEFBB5EB89314F008469E10AE7300EA31DA45CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 066FA3D8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc86a86be6f5ea68d5080c43b2164eb3cf8c1cd3b659d99d17c242ea5dce79d
Instruction ID: 1e970fbc3639d2190a2240ce1542f633673351e58fcc5945d568900b426267c4
Opcode Fuzzy Hash: 3fc86a86be6f5ea68d5080c43b2164eb3cf8c1cd3b659d99d17c242ea5dce79d
Instruction Fuzzy Hash: E6110831B242005FCB51DB7CE854B5ABBDADB46610F008479F60DD73A1DE24DC4287D2

Uniqueness

Uniqueness Score: -1.00%

Function 066F40D8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9c996a080b1d3ed31f6eb8200581f4a6b01e7977a3df05e609101e57141ace
Instruction ID: 4ca741bedabd2bd60a064ca89700af622ba868ed7371458cbb4da83bdf953ede
Opcode Fuzzy Hash: 2d9c996a080b1d3ed31f6eb8200581f4a6b01e7977a3df05e609101e57141ace
Instruction Fuzzy Hash: 92118B32B241289FDB549768DC14AAF73EBEBC8210B00843ADA0AE7344DE759C028BD1

Uniqueness

Uniqueness Score: -1.00%

Function 066F4310 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f8355df7c2f81d7a0548b8f3e21bff858b10a774e3b7ed39a0081c3a231047c
Instruction ID: 461656152d776c98dbe34f1fc00266f1c8f6f453a0b87031c139d869f35abe8a
Opcode Fuzzy Hash: 7f8355df7c2f81d7a0548b8f3e21bff858b10a774e3b7ed39a0081c3a231047c
Instruction Fuzzy Hash: 9401B131B141101FDB619A7EE81072FBBDACFCA320F248439E14ACB746DE25CD864392

Uniqueness

Uniqueness Score: -1.00%

Function 066F3D90 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b8eaa8d8b5dad5f618999301c3dfc18fcd642c6d5cfcc35b4d3c7250d9a401
Instruction ID: dc364d71048c8a84b4271141e698327e87faa4593a7a4b88fd3be683fc48a617
Opcode Fuzzy Hash: b8b8eaa8d8b5dad5f618999301c3dfc18fcd642c6d5cfcc35b4d3c7250d9a401
Instruction Fuzzy Hash: DE21B2B5D01259EFCB00DF9AD885ACEFBB4FB48324F10852AE518A7200C375A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 066FF27A Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcdb436724fd526d0ac0160df92659ac25daddf6e186dcd9436038f2b620c9f1
Instruction ID: 62fdf1358b20812331eb4bf8b339aa311b6d9c224e9edfd213d2bb9256290655
Opcode Fuzzy Hash: bcdb436724fd526d0ac0160df92659ac25daddf6e186dcd9436038f2b620c9f1
Instruction Fuzzy Hash: 1E01A235B100101BDB609ABDE990B6F67DBDBC9724F108839F60AC7340DE62DC4243D5

Uniqueness

Uniqueness Score: -1.00%

Function 066F56A0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa872dd0dd590eccf0586650f15d3a0c445b1bdf9fff3a9a9d93592d66913d2a
Instruction ID: 083b7f089f46ab8325467b840d088088f55b7a8f5cb04b32f0f7f2c81e64e33a
Opcode Fuzzy Hash: fa872dd0dd590eccf0586650f15d3a0c445b1bdf9fff3a9a9d93592d66913d2a
Instruction Fuzzy Hash: 7811C471E242558FDF608FAAC8806AEFFB5FB45210F10847BDA59D7242D630DE10CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 066F40C7 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7429e4256aceb40826706efbb341f468fcfaa04d59a678b74fdee19cfbd82880
Instruction ID: 39e3d6a8f24826076208317485842741a6108525a60cbfe40abf8cbef1bc95ca
Opcode Fuzzy Hash: 7429e4256aceb40826706efbb341f468fcfaa04d59a678b74fdee19cfbd82880
Instruction Fuzzy Hash: 3A01B136B200156BDB54DA68DC106EBB3EAEBC8310F004136D91AD3344EF71AC1287E2

Uniqueness

Uniqueness Score: -1.00%

Function 066F3D98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a843fc1dde48eb98ba4047570d0274117200136e85a9e58b39610e902a6b2e30
Instruction ID: ccf47d3c13299bc2c841c385241ab929cb5c4c7d7cf14214b3c094e1fbca6264
Opcode Fuzzy Hash: a843fc1dde48eb98ba4047570d0274117200136e85a9e58b39610e902a6b2e30
Instruction Fuzzy Hash: 5211D0B5D01259AFCB00DF9AD884ACEFBB4FB48324F10812AE918B7300C375A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 066F4320 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a69d979d9e6e1f45032213685f4bf7f1d920a840b091af77f978440506fa7c
Instruction ID: c880875bbe830576dca30b0eef8028d9a06c2d77d00727b5ad01361ec120e771
Opcode Fuzzy Hash: e8a69d979d9e6e1f45032213685f4bf7f1d920a840b091af77f978440506fa7c
Instruction Fuzzy Hash: B401D132B100101BEF609A7EE41072FB7DADBCA720F248439E20EC7745DE21DC424385

Uniqueness

Uniqueness Score: -1.00%

Function 066FF288 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be8299c59d78c7048e0fcb95d5a4bbac47330e27879d6fca0ade7789cd62b34d
Instruction ID: 14b640b37635307bf190fcb4a70078085645d31f4322f6bbe4b53aaf182636b7
Opcode Fuzzy Hash: be8299c59d78c7048e0fcb95d5a4bbac47330e27879d6fca0ade7789cd62b34d
Instruction Fuzzy Hash: 7201AF35B200151BDB649ABDE59072EA7DBDBCA724F10883AF60AC7340EE76DC0247D5

Uniqueness

Uniqueness Score: -1.00%

Function 066FA3E8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc0229d3fb8aba45cf84b36229dd6d495d71638008239f182f1477971726640c
Instruction ID: eba672995fe976afcebd1108b2b5965d70d659d321b97994730a86c892280593
Opcode Fuzzy Hash: bc0229d3fb8aba45cf84b36229dd6d495d71638008239f182f1477971726640c
Instruction Fuzzy Hash: 04016D31B201109FCB54EAADE85472AB3D6EB8A714F108438E60ED7354EE21EC4287C1

Uniqueness

Uniqueness Score: -1.00%

Function 066F6541 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97476c77bfe271658c71236d653808730963f67f98a211d9aa6890916d8f4486
Instruction ID: bfbe016c78e119791d5d2c61281bb699074f10463e01daa35202631c8e506808
Opcode Fuzzy Hash: 97476c77bfe271658c71236d653808730963f67f98a211d9aa6890916d8f4486
Instruction Fuzzy Hash: DDE09271E25248BBCB60CF78C94579EBBB8EB02208F1084D6D958EB203E632DE118791

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 066F7770 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 066F7CD2
$^q, xrefs: 066F7CDE
$^q, xrefs: 066F7CBC
$^q, xrefs: 066F7C29
$^q, xrefs: 066F7891
$^q, xrefs: 066F789D
$^q, xrefs: 066F7860
$^q, xrefs: 066F7CC8
$^q, xrefs: 066F786C
$^q, xrefs: 066F7C1D

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: acc86cb0e7e22f944bb05f4f78b74bce4fdd2d0dad7c8510c58103f2b2cc96df
Instruction ID: 28acc247378626b938a305d54a99cc15561c39051eca4713e9961fda14c83a00
Opcode Fuzzy Hash: acc86cb0e7e22f944bb05f4f78b74bce4fdd2d0dad7c8510c58103f2b2cc96df
Instruction Fuzzy Hash: E7122E30E10219CFDB68DF65D954AADBBF2BF89304F208569D509AB354DB309D86CF81

Uniqueness

Uniqueness Score: -1.00%

Function 066F5DAB Relevance: 2.9, Strings: 2, Instructions: 426COMMON

Download Yara Rule

Strings

XPcq, xrefs: 066F5EE4
\Ocq, xrefs: 066F5F25

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: XPcq$\Ocq
API String ID: 0-2802517751
Opcode ID: 7bd75b882657616ffdcf8af7b0823f0c9f54d03437628588e02dc23fb5e6d9cc
Instruction ID: 5828239818050f53403812449aba7c46d2d6d7d1c6fbfcda0c75a1932f257c18
Opcode Fuzzy Hash: 7bd75b882657616ffdcf8af7b0823f0c9f54d03437628588e02dc23fb5e6d9cc
Instruction Fuzzy Hash: 43E11431B201148FDB54DB78D890AAEBBF2FF89310F25846AE646DB392CA35DC41C791

Uniqueness

Uniqueness Score: -1.00%

Function 066F0006 Relevance: 2.0, Instructions: 1980COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a811ee07afb876a5bf387c63c48df9d2fdba520d8a712e17065369ba389feb98
Instruction ID: 2b15090ee419aeb9658a639849246f83fc2f12fcc5f7f843a380714462d435e3
Opcode Fuzzy Hash: a811ee07afb876a5bf387c63c48df9d2fdba520d8a712e17065369ba389feb98
Instruction Fuzzy Hash: 46230A31D20B198ECB15EB68C89059DF7B1FF99300F15D79AE458B7221EB70AAC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 066FE480 Relevance: 1.8, Strings: 1, Instructions: 572COMMON

Download Yara Rule

Strings

PH^q, xrefs: 066FE6E0

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: bc5dda43ea794272ca7770990233517cb4867ba8f0915f3f0e9389e4e74c8fd2
Instruction ID: 2d0574985ebad6940357428a81e582d8cf068298e59ded688ce5761229155fba
Opcode Fuzzy Hash: bc5dda43ea794272ca7770990233517cb4867ba8f0915f3f0e9389e4e74c8fd2
Instruction Fuzzy Hash: C122D130B101059FDB54DB68D984B9EBBF2EF89310F208469E506DB365DB36EC86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 066EBDE0 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900655022.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66e0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3a89a86cfc1d8ae9c5f6cbf13d6dba8e9f73b834f9065728120c2d6f9f7ba3
Instruction ID: 4c0639b3aa194d9b994d0b8a20d688054a167d50b7a7683340fcb37cb653cad8
Opcode Fuzzy Hash: 9c3a89a86cfc1d8ae9c5f6cbf13d6dba8e9f73b834f9065728120c2d6f9f7ba3
Instruction Fuzzy Hash: 56523AB0501B66CFD722CF28E8881997BB1FB41328B90C71AD5616B2D9D7B4658FCF84

Uniqueness

Uniqueness Score: -1.00%

Function 016441D8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2895489172.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1640000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f5a40328507f2078052460ba6dd059487696a783bcf4740d5f8157df0ca402
Instruction ID: 57ba6a86c7282d8fa3f44d1cc312b3adaf1e35b8d1b0cf4d00db6bb97ec1bee8
Opcode Fuzzy Hash: a2f5a40328507f2078052460ba6dd059487696a783bcf4740d5f8157df0ca402
Instruction Fuzzy Hash: 42B12C70E002198FDF14CFA9D8867EEBBF2AF88714F148129D815A7394EF749846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 066EA594 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2900655022.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66e0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d911cbf23307ea88bab9bda58b9ae5ca12f3afa797ce76a36e9eb24dd56c793
Instruction ID: 6737e3ff140cc8253d9d8c0f6b8c5d7218f759faf1e14fcadf8640f132466fbe
Opcode Fuzzy Hash: 9d911cbf23307ea88bab9bda58b9ae5ca12f3afa797ce76a36e9eb24dd56c793
Instruction Fuzzy Hash: F2A19F32E01209CFCF45DFB5D9805AEBBB2FF85300B15856AE915AB221DB31E916CB80

Uniqueness

Uniqueness Score: -1.00%

Function 066FAA10 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 066FAB6D
$^q, xrefs: 066FAB8C
$^q, xrefs: 066FAB12
$^q, xrefs: 066FAB98
$^q, xrefs: 066FAB61
$^q, xrefs: 066FAB06
$^q, xrefs: 066FABC2
$^q, xrefs: 066FABCE

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 6e9e5d0bdc694482e91990ca72d61dfa2655ddb118e4d6b21dbbf39716475efc
Instruction ID: 68e5df8c6c2b71fda600d7a580f6a69e6b49616041b5cc230b8df102a1112921
Opcode Fuzzy Hash: 6e9e5d0bdc694482e91990ca72d61dfa2655ddb118e4d6b21dbbf39716475efc
Instruction Fuzzy Hash: 99917130E20209DFDB68DFA5D954BAEBBF6BF44301F108929E909AB354DB349D45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 066F7170 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 066F7678
$^q, xrefs: 066F74AC
.5vq, xrefs: 066F71CB
$^q, xrefs: 066F74B8
$^q, xrefs: 066F7684
$^q, xrefs: 066F7452
$^q, xrefs: 066F760C

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 602c1ad50aff1e708c263a03fb8ecbb85c79caa7bfed6441d0e4b6952d9826bb
Instruction ID: f5b3c302880598e4bf4e804b1e086867f515565bd06eb1e3427698e43f8b0c4b
Opcode Fuzzy Hash: 602c1ad50aff1e708c263a03fb8ecbb85c79caa7bfed6441d0e4b6952d9826bb
Instruction Fuzzy Hash: FEF13F30A11209CFDB55EFA4E594A5EBBB3FF84300F248568E5059B398DB31EC86CB81

Uniqueness

Uniqueness Score: -1.00%

Function 066F84A8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 066F8767
$^q, xrefs: 066F870E
$^q, xrefs: 066F8702
$^q, xrefs: 066F8773

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 2d4eefdba42537b50ac375335558bb4874464e60f0c830497763762307dc2f8f
Instruction ID: 5cd35326641cb2079732329e5f0211bb3e64349768cebd6f88d24e6bb3001d6a
Opcode Fuzzy Hash: 2d4eefdba42537b50ac375335558bb4874464e60f0c830497763762307dc2f8f
Instruction Fuzzy Hash: 95B13C30E102099FDB54EB69D99469EB7B2FF84300F24886DE506AB395DB75DC86CB80

Uniqueness

Uniqueness Score: -1.00%

Function 066F88C0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 066F8A02
$^q, xrefs: 066F893F
LR^q, xrefs: 066F89B3
$^q, xrefs: 066F894B

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 2257baab2b6eb768300f078772eba9b5693c3659d78f971bd63e86e5e6f55252
Instruction ID: 67c2c6e3863768149d3f33ba581048d3b46e23f65fdff4c4d76ddf63d9252ae1
Opcode Fuzzy Hash: 2257baab2b6eb768300f078772eba9b5693c3659d78f971bd63e86e5e6f55252
Instruction Fuzzy Hash: 8051AE31B102059FDB58EB28D940A6AB7F6FF89700F1485ACE506DB3A5DE30EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 066FAD98 Relevance: 5.2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

$^q, xrefs: 066FAF74
$^q, xrefs: 066FAEC9
$^q, xrefs: 066FAF4B
$^q, xrefs: 066FAF1C

Memory Dump Source

Source File: 00000001.00000002.2900756933.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f0000_Leoch-Purchase Order.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: e37a1bf1ed5f18058aed8835592e27025d406d3db15af9d0312f7e82968f146e
Instruction ID: dbd2a67dc4a8eb810ecfb11d9a7f4cf1e4e80e242d569e430cdadb3c683bb0bb
Opcode Fuzzy Hash: e37a1bf1ed5f18058aed8835592e27025d406d3db15af9d0312f7e82968f146e
Instruction Fuzzy Hash: DD516230E21205DFDFA5DBA4E9806AEB7B2EF85310F148529E609DB354DB30EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: uaAWu.exePID: 7628, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	36.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	123
Total number of Limit Nodes:	0

Executed Functions

Function 02570000 Relevance: 13.9, APIs: 9, Instructions: 351
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02570054: CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 02570167

NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 02570192
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 025701C9
WriteProcessMemory.KERNELBASE ref: 02570217
WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 025702FD
Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 02570355
WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 025703A1
Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 025703EC
ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 0257040C

Memory Dump Source

Source File: 00000002.00000002.1775596305.0000000002570000.00000040.00001000.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2570000_uaAWu.jbxd

Similarity

API ID: Process$MemoryThreadWrite$ContextWow64$AllocCreateResumeSectionUnmapViewVirtual
String ID:
API String ID: 2814188497-0
Opcode ID: 083de847d8922841928b66d0ab862014bd189770b687f49c37d57b8513a74b61
Instruction ID: dee99e88c6bdc7eac9d70d7347335dc40c3224c46aa3fa79bbfa80f532b96ad8
Opcode Fuzzy Hash: 083de847d8922841928b66d0ab862014bd189770b687f49c37d57b8513a74b61
Instruction Fuzzy Hash: C1B10F746E0245BFE61577F1EC06F2937A7BFC6708F148079E2005F1E1D9A25811CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 02570054 Relevance: 13.8, APIs: 9, Instructions: 322
threadinjectionprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02570420: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,02570083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 0257043F

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 02570167
NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 02570192
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 025701C9
WriteProcessMemory.KERNELBASE ref: 02570217
WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 025702FD
Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 02570355
WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 025703A1
Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 025703EC
ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 0257040C

Memory Dump Source

Source File: 00000002.00000002.1775596305.0000000002570000.00000040.00001000.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2570000_uaAWu.jbxd

Similarity

API ID: Process$MemoryThreadWrite$AllocContextVirtualWow64$CreateResumeSectionUnmapView
String ID:
API String ID: 4009322845-0
Opcode ID: abefd893c78f63ec501357fb14bf61d80a739cae84c00b71e3bd370fcc70d613
Instruction ID: a9306a9c03bc0d80599ab0265a18f81c9968f9ea93b1fd6ab8f1c6b130c85fd2
Opcode Fuzzy Hash: abefd893c78f63ec501357fb14bf61d80a739cae84c00b71e3bd370fcc70d613
Instruction Fuzzy Hash: C9A1DC747E0206BFE61577F1EC46F293697BFC5B0CF208178E2006F1D1D9A26D219A6A

Uniqueness

Uniqueness Score: -1.00%

Function 00AD0578 Relevance: 1.9, APIs: 1, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcA.USER32(?,00000000,?,?,FFFFFFFF), ref: 00AD1053

Memory Dump Source

Source File: 00000002.00000002.1775408709.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ad0000_uaAWu.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 8810e58b302d6705024b374d3ec7fc97faba2c4259e60394726c82b6a1559a2e
Instruction ID: a72d70bcb54ba0cb39847351fbb190b0e3736793e323270307b99ea3eb08231a
Opcode Fuzzy Hash: 8810e58b302d6705024b374d3ec7fc97faba2c4259e60394726c82b6a1559a2e
Instruction Fuzzy Hash: FD41E6719083848FCB02EF78D858ADEBFF0EF4A310F0584AAD495DB262D7345849CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00AD05B4 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcA.USER32(?,00000000,?,?,FFFFFFFF), ref: 00AD1053

Memory Dump Source

Source File: 00000002.00000002.1775408709.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ad0000_uaAWu.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: c475f4477e219b3927b16ca73eb340aca9c7e7c15fd6e2ad9c4714eed25dd962
Instruction ID: 9801559a433c21249ae764560f4f6ff7ef98edcaed798c1c934f1e9834c86bb3
Opcode Fuzzy Hash: c475f4477e219b3927b16ca73eb340aca9c7e7c15fd6e2ad9c4714eed25dd962
Instruction Fuzzy Hash: F31104B5900248DFCB20DF9AC844BDEBFF4EB48320F20842AE569A7350C375A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00AD0FE0 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcA.USER32(?,00000000,?,?,FFFFFFFF), ref: 00AD1053

Memory Dump Source

Source File: 00000002.00000002.1775408709.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ad0000_uaAWu.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: f15214c56964eaa28b7e6d8c06ac03afada4bc405002db2952a652d36217bc64
Instruction ID: 5c6c88fb8823a240244454d19e0e6c21514be57c5534f49275d1f35f0e8d84f7
Opcode Fuzzy Hash: f15214c56964eaa28b7e6d8c06ac03afada4bc405002db2952a652d36217bc64
Instruction Fuzzy Hash: 711116B5900249DFDB20DF9AC844BDEBFF4FB48324F208419E558A7250C375A980CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00AD0C80 Relevance: 1.3, APIs: 1, Instructions: 85
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 00AD0D48

Memory Dump Source

Source File: 00000002.00000002.1775408709.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ad0000_uaAWu.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 34d7fd4bf9fd2d29f5dd7cc92eba8c7f7962189cb7f3bc29e5c81c23f1a83ce5
Instruction ID: 1132e5fdb90b5b12e18823d97e54c9efeaaa5ff6ed335b9787e0f2701b20efc2
Opcode Fuzzy Hash: 34d7fd4bf9fd2d29f5dd7cc92eba8c7f7962189cb7f3bc29e5c81c23f1a83ce5
Instruction Fuzzy Hash: 7D31BF75A002089FCB14DF9AD944B9EBBF5EF88320F10846AE559A7350CB74A841CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02570420 Relevance: 1.3, APIs: 1, Instructions: 15
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,02570083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 0257043F

Memory Dump Source

Source File: 00000002.00000002.1775596305.0000000002570000.00000040.00001000.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2570000_uaAWu.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
Instruction ID: 8ca280a8df2c68e2a64f7fcb3bdcddba9d1361b84ed39647e5016d55ffeda2c6
Opcode Fuzzy Hash: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
Instruction Fuzzy Hash: CCD0A9701D43026AE2017BA2AC02F0826C3BB80B09F400824F304380E0C5AA98180A5A

Uniqueness

Uniqueness Score: -1.00%

Function 00A7D6CD Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1775312513.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a7d000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a024bd853a8bfa8ce2a24e04aba2b1fe8e5b7488e6e691414cfb25facfc0008
Instruction ID: 6aca07d1670c37dcfc94f0d88ab00c42d0e256ac815e50b5de7c3905886ace5f
Opcode Fuzzy Hash: 0a024bd853a8bfa8ce2a24e04aba2b1fe8e5b7488e6e691414cfb25facfc0008
Instruction Fuzzy Hash: 1401DB710083409AE7144B15CDC4767FFFCEF45364F18C929ED0D5A196C679D840CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00A7D6CC Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1775312513.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a7d000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def5d5a1fdfe1d1223722952064a8697ff4c0da2b81f5e6f6e4f7ec9351f4eac
Instruction ID: cd00316e1cd1def30b76d4c4be17ad49818ebf2cf6b7067b325a4939f6d7170c
Opcode Fuzzy Hash: def5d5a1fdfe1d1223722952064a8697ff4c0da2b81f5e6f6e4f7ec9351f4eac
Instruction Fuzzy Hash: 1CF06271408384AAE7148B16DCC4B62FFACEF55774F18C45AED4C5A296C2799844CA71

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: uaAWu.exePID: 7776, Parent PID: 7628COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	184
Total number of Limit Nodes:	8

Executed Functions

Function 06F73170 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06F73898
$^q, xrefs: 06F7387B
$^q, xrefs: 06F7386F
$^q, xrefs: 06F738BC
$^q, xrefs: 06F738A4
$^q, xrefs: 06F738C8

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 4033416a34005d0632367cc92cebcdfbaf9154fe278ee517ea239f95481926ff
Instruction ID: 12c611064fa6c524bf68690585b5967d79365ceedaab606c0d307172cdf8a678
Opcode Fuzzy Hash: 4033416a34005d0632367cc92cebcdfbaf9154fe278ee517ea239f95481926ff
Instruction Fuzzy Hash: C2323F31E1071ADFCB14DF79C8945ADB7B6FF89300F1486AAD449AB254EB30AD85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06F77E48 Relevance: 3.0, Strings: 2, Instructions: 482
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06F783EF
$^q, xrefs: 06F783E3

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 52e4a1c80588fdc885c9c01557f99fd4feca9ca7a2b76912da42e69fff75e9a8
Instruction ID: f0a10fa53d69679bc09390c72a0d0aa25d23bfd01155383fe42087fb6a6287b9
Opcode Fuzzy Hash: 52e4a1c80588fdc885c9c01557f99fd4feca9ca7a2b76912da42e69fff75e9a8
Instruction Fuzzy Hash: D8029E30F012059FDB54DB68D894AAEB7E6FF88344F14846AD819DB390DB75EC82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06F72349 Relevance: 1.1, Instructions: 1067COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6cd679e31e4656bceaed09de98e849699647cfb6342e4012a51c15a03e50a09
Instruction ID: 78eb570c4a61a4ade1d7aef2b4388475e50212f78e54bd03cd42cf7be9dd6d9c
Opcode Fuzzy Hash: f6cd679e31e4656bceaed09de98e849699647cfb6342e4012a51c15a03e50a09
Instruction Fuzzy Hash: 66A2F234E002088FDB64CB68C584B99B7F2FB49314F5484AAE449AB361DB75EE85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06F766B8 Relevance: .8, Instructions: 825COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74648c52015829b94a00f29792e28ee390aa8a53d8d3189ccbaaad82eff135b
Instruction ID: a85b7f45b2df3d219277cd12c8b8b14999834b272f80f41dbbf5f12259aa9f6e
Opcode Fuzzy Hash: c74648c52015829b94a00f29792e28ee390aa8a53d8d3189ccbaaad82eff135b
Instruction Fuzzy Hash: F4629D34F006058FDB54DB68D994AADB7F2EF88314F14846AE80ADB390DB35ED46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06F7C250 Relevance: .6, Instructions: 650COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b404604a2e626ba2ecd4b5d3e385b59ab0dfdff2bdd2292662a490519f1dd4
Instruction ID: 32177e2a9fe8bbfb059468e1e71b6208c253f4c28f6e68f189934ea27e292f66
Opcode Fuzzy Hash: 50b404604a2e626ba2ecd4b5d3e385b59ab0dfdff2bdd2292662a490519f1dd4
Instruction Fuzzy Hash: 93328034F002099FDB54DF68E990AAEB7B6FB89310F108566E409E7354DB35EC86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06F756A8 Relevance: .6, Instructions: 594COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5887d74029c7b4f9280c7a5c166e53b323ce5afe4ca93d38e19d8d6e78a3f39a
Instruction ID: c1f74b49d9b9ea2de52347ac6146bb3539b42ce0d09cf55fa917ba85100f621e
Opcode Fuzzy Hash: 5887d74029c7b4f9280c7a5c166e53b323ce5afe4ca93d38e19d8d6e78a3f39a
Instruction Fuzzy Hash: 0312E471F002059BDB64DB64D8847AEB7B2EB85314F24883AD85ADB384DF34ED46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06F7B2F7 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbbafae6c13c63378635740197c664597621c96aec6f139ed8de91160eba5dd
Instruction ID: e84f21d031bae139acb4b3828b7708419bd7d63e886bc8281f748febb7468d11
Opcode Fuzzy Hash: 3fbbafae6c13c63378635740197c664597621c96aec6f139ed8de91160eba5dd
Instruction Fuzzy Hash: 59224F30E002099FEFA4DF68D5907AEB7B6FB8A310F148566E415DB395CA35DC81CB92

Uniqueness

Uniqueness Score: -1.00%

Function 06F7ADA0 Relevance: 10.4, Strings: 8, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06F7AF20
$^q, xrefs: 06F7AF78
$^q, xrefs: 06F7AECD
$^q, xrefs: 06F7AEC1
$^q, xrefs: 06F7AF6C
$^q, xrefs: 06F7AF43
$^q, xrefs: 06F7AF4F
$^q, xrefs: 06F7AF14

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 20a352ffc841504ce1b8d879f2d16bb834d1d29c449a69552d2fe538624ba0e5
Instruction ID: 3ae3d4579a5d690eef0cd061a13d5b2b7b90125d77140499beaf9865e0a9791f
Opcode Fuzzy Hash: 20a352ffc841504ce1b8d879f2d16bb834d1d29c449a69552d2fe538624ba0e5
Instruction Fuzzy Hash: 84E15B30E0020A8FDB65DF69D9846AEB7B2FF89304F11852AE409EB354DB75DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06F7B718 Relevance: 8.0, Strings: 6, Instructions: 478COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F7BCA9
$^q, xrefs: 06F7BC75
$^q, xrefs: 06F7BCDD
$^q, xrefs: 06F7BC9D
$^q, xrefs: 06F7BCD1
$^q, xrefs: 06F7BC69

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: bc62e08f92a802d4b198aa1c7ab058f937d8ee511a40715f85da6ff03977d5db
Instruction ID: 4239c5c2a3cc28703e2d0a847c8ec407b05a15e7df5dc19af64fb0fe28abbef4
Opcode Fuzzy Hash: bc62e08f92a802d4b198aa1c7ab058f937d8ee511a40715f85da6ff03977d5db
Instruction Fuzzy Hash: 61027B30E002098FDBA4DF68D5807AEB7B2FB46310F14856AE815DB355DB35DD86CB92

Uniqueness

Uniqueness Score: -1.00%

Function 06F79218 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06F792CF
$^q, xrefs: 06F792C3
$^q, xrefs: 06F79288
$^q, xrefs: 06F79294

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 9776f5878a739030bae771d21318835b1bd6b74ccdef3c3f9e52fc893ddc9598
Instruction ID: 66e8eac6cfc01829fb811a84d03c20b34a8280ba5428a0594c97f03382606b43
Opcode Fuzzy Hash: 9776f5878a739030bae771d21318835b1bd6b74ccdef3c3f9e52fc893ddc9598
Instruction Fuzzy Hash: EE912C30F0021A9FDB54DB69D9507AEB3F6EBC9314F10856AC809EB344EA74DD86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06F7D018 Relevance: 4.5, Strings: 3, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06F7D417
$^q, xrefs: 06F7D423
$^q, xrefs: 06F7D40F

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: bfe5b46cd2ae645a0fc530bdfb2bd4be7fd7aaf8cb0974e2b0586f2b2d962ea1
Instruction ID: da121cad245473c69310ba1ea496e59173c718f262dc67aee29d7ceb72d608ed
Opcode Fuzzy Hash: bfe5b46cd2ae645a0fc530bdfb2bd4be7fd7aaf8cb0974e2b0586f2b2d962ea1
Instruction Fuzzy Hash: 3B623E30B002068FCB55DF68E584A5DB7B2FF84304F648969D4099F369DB75ED8ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 06F74C78 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Ocq, xrefs: 06F74E2F
XPcq, xrefs: 06F74DA5
fcq, xrefs: 06F75385

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: e6213d94588f3190bd190275960ac602f9dab9143a62473565b54d5ad9b325dd
Instruction ID: dce71457b82b6c4b977de2664c41018ce038a5f8f2583400f5ce63ecb6cf491d
Opcode Fuzzy Hash: e6213d94588f3190bd190275960ac602f9dab9143a62473565b54d5ad9b325dd
Instruction Fuzzy Hash: F1616230F002099FEB559FA9C8547AEBBF7FB88310F20842AE505EB395DB758D458B91

Uniqueness

Uniqueness Score: -1.00%

Function 06F7920A Relevance: 2.7, Strings: 2, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06F792C3
$^q, xrefs: 06F79288

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 5c5a8107789ca4cec378bf927ab5f509a776f769dbb86bd308196e33c9a7e9ad
Instruction ID: 6b299d308154c5563b6d1fbf20c5f93cd1c3f58628ed2741a6202c2fb9b0add0
Opcode Fuzzy Hash: 5c5a8107789ca4cec378bf927ab5f509a776f769dbb86bd308196e33c9a7e9ad
Instruction Fuzzy Hash: 8F515F30B041059FDB54DB78D950BAEB3FAEBC9354F10846AD809DB744EA74DC42CB96

Uniqueness

Uniqueness Score: -1.00%

Function 06F6B6E8 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2904263778.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f60000_uaAWu.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 083353b0096cd0a5d47133fae10c7be321fe5837673518359866f1ea72d9c5b0
Instruction ID: eb3c84ce82e2db3b1b3d7010cefe18584b3b5e8a9ff2d33a5bb65a20a43edc2d
Opcode Fuzzy Hash: 083353b0096cd0a5d47133fae10c7be321fe5837673518359866f1ea72d9c5b0
Instruction Fuzzy Hash: 6A714470A00B058FD7A4DF2AD44475ABBF1FF88300F008A2DE48AD7A50D775E95ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 06F6D8C4 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06F6D9E2

Memory Dump Source

Source File: 00000007.00000002.2904263778.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f60000_uaAWu.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7463370ae711c1e7419c0ecbdc3d197fa0b3a7d9faec0d3d065f0f27a7bc2791
Instruction ID: 8d4f82c42c2078a1c7b020c5087caa598fed5d13b110fd0cc1c5c808c5cf09e4
Opcode Fuzzy Hash: 7463370ae711c1e7419c0ecbdc3d197fa0b3a7d9faec0d3d065f0f27a7bc2791
Instruction Fuzzy Hash: FA51D0B1D043499FDB14CFAAC984ADEBFB5BF48314F24812AE819AB214D7749885CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06F6D8D0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06F6D9E2

Memory Dump Source

Source File: 00000007.00000002.2904263778.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f60000_uaAWu.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e4b3b72e44fa26e30bb688287facd8405d2f04ca450f0739f25f57082a2d3448
Instruction ID: 175ad104518d39edfcc7379b67b40dbc6bc3a02918b39fc3bceb4ea630568089
Opcode Fuzzy Hash: e4b3b72e44fa26e30bb688287facd8405d2f04ca450f0739f25f57082a2d3448
Instruction Fuzzy Hash: 8341C0B1D043499FDB14CFAAC994ADEBBB5BF48314F24812AE818AB214D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0196FDF0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0196FEB1

Memory Dump Source

Source File: 00000007.00000002.2895433954.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1960000_uaAWu.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 4e51bc3cc5602b0edd587ec3fd0744056059d91f0e62d584731a85685335d7f2
Instruction ID: adfa7324bb9e05d53414f2141c302916b69212ff17609d0f4ae0aa04c1170d42
Opcode Fuzzy Hash: 4e51bc3cc5602b0edd587ec3fd0744056059d91f0e62d584731a85685335d7f2
Instruction Fuzzy Hash: F94117B4900349CFDB15CF99C888AAABBF9FB88714F24C459D519AB321D334A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06F63410 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06F6349F

Memory Dump Source

Source File: 00000007.00000002.2904263778.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f60000_uaAWu.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 347dbd4ec11cae9f2f7af8c8cf304a2f1f8921cb4ae5f4028faa31b63668953a
Instruction ID: 75769e5864bf6797325c195a8c4004d0f7472b536548aa26e3f7d7d555e5d21d
Opcode Fuzzy Hash: 347dbd4ec11cae9f2f7af8c8cf304a2f1f8921cb4ae5f4028faa31b63668953a
Instruction Fuzzy Hash: F921E6B5D002589FDB10CFAAD984ADEFBF5FB48310F14801AE954A7310D3749954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F63418 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06F6349F

Memory Dump Source

Source File: 00000007.00000002.2904263778.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f60000_uaAWu.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f350b6bf99e4bb7644a0f7c0a75b635d4cd79463ee0f50d00fa3216b2bb84ded
Instruction ID: c1e814ce156ade3b0dcb4de7b62586cd61046e9128f83a393a6d588a1e13c12d
Opcode Fuzzy Hash: f350b6bf99e4bb7644a0f7c0a75b635d4cd79463ee0f50d00fa3216b2bb84ded
Instruction Fuzzy Hash: AB21E4B5D002589FDB10CFAAD984ADEFBF8FB48320F14801AE914A7310D379A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F6BB3A Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 06F6BBAA

Memory Dump Source

Source File: 00000007.00000002.2904263778.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f60000_uaAWu.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 455b8f8fcb9eed033ec76361a7f9b203c87fc66329d0fded17323c78acd61630
Instruction ID: 7b7ee6db39bc31f5bda99f40de270c4ba8507ab16d746cadff4a04d64a4b21a1
Opcode Fuzzy Hash: 455b8f8fcb9eed033ec76361a7f9b203c87fc66329d0fded17323c78acd61630
Instruction Fuzzy Hash: 7F1134B6C003488FCB10CF9AD884ADEFBF4EB88320F10842EE419A7210C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F6BB40 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 06F6BBAA

Memory Dump Source

Source File: 00000007.00000002.2904263778.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f60000_uaAWu.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8cf817713bcbdfd0bef56d4e1047a74d609f184f96813c668aa74ec1d9afd8ac
Instruction ID: 0a57d331030bd3920e7d7a98d316157afa4cd44e6a0bf6cb612ab3468a07a2c6
Opcode Fuzzy Hash: 8cf817713bcbdfd0bef56d4e1047a74d609f184f96813c668aa74ec1d9afd8ac
Instruction Fuzzy Hash: 7D1104B6D003498FDB10CF9AD884ADEFBF4EB88320F14842AE419A7210C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0196EF5D Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0196EFC7

Memory Dump Source

Source File: 00000007.00000002.2895433954.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1960000_uaAWu.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 1c4ab07ad58faac6c267c425774c5159e4b52251bbd1299f0b53d6edbbabdc55
Instruction ID: 2e610abad261da2b5ec9c6e3bfede99a97d5d2b7d47341f38ccb2512d99796a9
Opcode Fuzzy Hash: 1c4ab07ad58faac6c267c425774c5159e4b52251bbd1299f0b53d6edbbabdc55
Instruction Fuzzy Hash: E81123B1C00259DFCB10CF9AD544BDEFBF4AF48320F24812AD418A7250D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0196EF60 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0196EFC7

Memory Dump Source

Source File: 00000007.00000002.2895433954.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1960000_uaAWu.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 19fdf3a4f3266992656bb260986b0dd591b8abd618506ab20915d2831d51690a
Instruction ID: 57ae9242db70e6cc4f10a12890d9b29d0533080438113d9c6309ae9c7419f822
Opcode Fuzzy Hash: 19fdf3a4f3266992656bb260986b0dd591b8abd618506ab20915d2831d51690a
Instruction Fuzzy Hash: DD11F3B1C006599BCB10DF9AD544BDEFBF8AF48324F14816AD818A7250D778A944CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 06F6A8A0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,06F6B704), ref: 06F6B93E

Memory Dump Source

Source File: 00000007.00000002.2904263778.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f60000_uaAWu.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fcd5657d7319a8162222cfbd6bc01975122322fa00370b607118a759a84db146
Instruction ID: 16922dcc6dc3b6048ee1e26fb61a78e7bdcb4924efee2af78ed858700517d5ed
Opcode Fuzzy Hash: fcd5657d7319a8162222cfbd6bc01975122322fa00370b607118a759a84db146
Instruction Fuzzy Hash: 6D1143B6C003498FDB10CF9AD444ADEFBF4EB48324F10802AE458A7314C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F74C69 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

XPcq, xrefs: 06F74DA5

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID: XPcq
API String ID: 0-714321711
Opcode ID: a1a74ae34a1ee729c2cf07b5d50831dd361c3a9c6bd02e6256bb0b56d4f1419a
Instruction ID: 1039dc24aea59885d923d145f4ca877dba6a8fd96e15a199cefcedf9aa232621
Opcode Fuzzy Hash: a1a74ae34a1ee729c2cf07b5d50831dd361c3a9c6bd02e6256bb0b56d4f1419a
Instruction Fuzzy Hash: FD417030F002099FDB559FA9C854BAEBBF7FF88700F20852AE505AB395DB758D018B91

Uniqueness

Uniqueness Score: -1.00%

Function 06F7DB8D Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06F7DCE9

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 1761dd5cde6410f4b3e2ad86c67a4f43e098d80f00eaffceaec36e67f5e83a01
Instruction ID: dcb129b79974df8d321b52266e4348dcc898d43ae3727e6efcdb1a4f22bf20fb
Opcode Fuzzy Hash: 1761dd5cde6410f4b3e2ad86c67a4f43e098d80f00eaffceaec36e67f5e83a01
Instruction Fuzzy Hash: 8041C330E002099FDB65DFB9D84469EBBB2FF85300F54452AE405EB240DBB5E946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06F721D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06F7230B

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 6315ecbf5350b53e9e66e0f62baaa344ae38fad62665433aa2466ee824861ed6
Instruction ID: 7ef48a22fc02dd82ccf76c188dc56ce7215861cb805bdb0b2c5b49f3e08d739e
Opcode Fuzzy Hash: 6315ecbf5350b53e9e66e0f62baaa344ae38fad62665433aa2466ee824861ed6
Instruction Fuzzy Hash: 5B31BC30F102018FEB599B78D55466E7BE6EF89300F24842AD406DB394EF75DE46CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06F78398 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F783E3

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 36bc740493770d3be7258420b72bbd633a0d3be7d36e139198746a598fc0ab61
Instruction ID: 5989a5bc6d36315946bddbb87db94b37095ff7d9c9600520cf1b1b8f61e9ca34
Opcode Fuzzy Hash: 36bc740493770d3be7258420b72bbd633a0d3be7d36e139198746a598fc0ab61
Instruction Fuzzy Hash: 5CF08C31F00201DFDFA48E48F9892A8B7A9FB44394F144477D915CB250D676DD05C791

Uniqueness

Uniqueness Score: -1.00%

Function 06F74B61 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 06F74B6D

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: 15787bcce68b3870bc960b0e329b674ed5fc35c6d2af3eb369bbd8e76b052c0c
Instruction ID: 68af9b5df1a8265dbabf077001f8a780a8a2e18094376186c5b0f24bebe8c570
Opcode Fuzzy Hash: 15787bcce68b3870bc960b0e329b674ed5fc35c6d2af3eb369bbd8e76b052c0c
Instruction Fuzzy Hash: F1F0DA30E10119DBDB14DF94E899BAEBBB2BF88700F20411AE402A7294CB705D05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06F743A8 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0fd9a660e8a30279ca7dc685a1f1bdb5dc61618db46b36c7f3a05d937ed783
Instruction ID: 06ead5a2d5b47dcc145a7d72f4a4600ba0abe2d250436b0e066f50d0e63ae8c9
Opcode Fuzzy Hash: 7b0fd9a660e8a30279ca7dc685a1f1bdb5dc61618db46b36c7f3a05d937ed783
Instruction Fuzzy Hash: B3812D30F002059FDB54DFA9D4546AEB7F6EF89304F20852AD40ADB394EB75ED428B92

Uniqueness

Uniqueness Score: -1.00%

Function 06F762B0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c88442aed83ab250ae969805a8ee81a36352859debb3d15b55dd4446811eda5
Instruction ID: d1f3f2be0b0e64c50e467413f0db579442093d1d9a94549678f142ac337ab251
Opcode Fuzzy Hash: 2c88442aed83ab250ae969805a8ee81a36352859debb3d15b55dd4446811eda5
Instruction Fuzzy Hash: 6761CF71F005214FCF509A7EC89466FEAD7AFC5620B25443AE80EDB364DEA5DD0287D2

Uniqueness

Uniqueness Score: -1.00%

Function 06F746C8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04f443bf61dab0473e45e1c19ab9d1b6f51abc6d106a40e773f09b7d930e88d
Instruction ID: bba11d033f189067692bb8153f32e85dc7e9bf046507cd5f5bf4007a96617a56
Opcode Fuzzy Hash: f04f443bf61dab0473e45e1c19ab9d1b6f51abc6d106a40e773f09b7d930e88d
Instruction Fuzzy Hash: 16914E30E102198FDF60DF68C890B9DB7B1FF89300F208596D559EB295EB70AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06F746E0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9677ec87077dd04e5f95c034b4f9d97fb4986a7ab96bc3afd7b29ce8aeb4db25
Instruction ID: 6c48720fda8bdd7f9c5080d4319b4a0b8dd7366ab2ff08b6fab6943ab6efee06
Opcode Fuzzy Hash: 9677ec87077dd04e5f95c034b4f9d97fb4986a7ab96bc3afd7b29ce8aeb4db25
Instruction Fuzzy Hash: BA913D30E1021A8BDF60DF68C980B9DB7B1FF89304F208599D559AB355EB70AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06F7EBE8 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d73c12367092b610105851cca43c4593dadd3d3d5e74f60840915722154fb6
Instruction ID: 1e37dabc26aa630bcd841b513df93cfc86751543a911e2760b7362b2e1b53e9b
Opcode Fuzzy Hash: d6d73c12367092b610105851cca43c4593dadd3d3d5e74f60840915722154fb6
Instruction Fuzzy Hash: CA713A31E002099FDB54DBA8D990AAEBBF6FF84300F14846AE419EB355DB30ED46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06F7EBF8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7a87408f8aeca3c251ea77c08f4ab7b88617844f2e81a8606f32eb23912c5a
Instruction ID: a526c77bfd06845fd4963596bdd6ba87eb75c406c33ca3c32dedc2ac15742e32
Opcode Fuzzy Hash: 2c7a87408f8aeca3c251ea77c08f4ab7b88617844f2e81a8606f32eb23912c5a
Instruction Fuzzy Hash: E5710A71E002099FDB54DBA9D990AADBBF6FF88300F14846AE419EB354DB30ED46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06F7FD58 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84066a2c33312279e8db1ef01ebf929a3f34917b5a9b8f90ea3996c5621629a4
Instruction ID: cdd22267021dd2e4774d47b7c33ccf10f760aaf5008aec9f466fe0742afa056c
Opcode Fuzzy Hash: 84066a2c33312279e8db1ef01ebf929a3f34917b5a9b8f90ea3996c5621629a4
Instruction Fuzzy Hash: 9C51C231E02109DFDB64EB78E8546ADBBB2EF85314F10897AE006D7254DF358956CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06F7FB07 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f6ba3a6b00738b1b9b97036d413d463db91fe329416c4152cf5227789fe91e
Instruction ID: 9789a076449bd31ce83346fb7ab054e923f8d5cafa300bd54ed8e9ce8e70b070
Opcode Fuzzy Hash: e1f6ba3a6b00738b1b9b97036d413d463db91fe329416c4152cf5227789fe91e
Instruction Fuzzy Hash: 5951B270F112159FEF64567CED9872F265FD789310F20482AE50AD73D5C969CC8683E2

Uniqueness

Uniqueness Score: -1.00%

Function 06F7FB18 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74efccbd8ca17ac1c413cf221a2353d2e7bbed6d10bc74862eacfff788674000
Instruction ID: 2fd61c7f721834937f7e9fed78f4758243e9ca446886586921b2dd7cad7a0b11
Opcode Fuzzy Hash: 74efccbd8ca17ac1c413cf221a2353d2e7bbed6d10bc74862eacfff788674000
Instruction Fuzzy Hash: E1519370F112159FEF645A6CED98B2F269FE789310F20482AE50AD73D4C969CC8643E2

Uniqueness

Uniqueness Score: -1.00%

Function 06F75520 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4f81c8a7060a956f2c7d4c976ec7fa6003c8a32bbe726050e9065cc5993e64
Instruction ID: 240b7c970fd815eeef6c70c9b27791824f19bff703bc960846279d0271ccdef3
Opcode Fuzzy Hash: 7a4f81c8a7060a956f2c7d4c976ec7fa6003c8a32bbe726050e9065cc5993e64
Instruction Fuzzy Hash: 9A416C71E006098FDF70CFA9DC80AAFFBB2EB95314F10492AE216D7654DB30E9558B91

Uniqueness

Uniqueness Score: -1.00%

Function 06F7DA40 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30dd00497d1ef6c7cbe9a43d7fb3938b81da504f063fe35d0e66fdb8f014a55e
Instruction ID: a5c2286b1739246ad8ff1132a0a64feff0123aab2f4175c12c605782bb6a9f92
Opcode Fuzzy Hash: 30dd00497d1ef6c7cbe9a43d7fb3938b81da504f063fe35d0e66fdb8f014a55e
Instruction Fuzzy Hash: 1031A830E103069FDF15DF69D884A9EBBB2FF85300F54452AE405EB351DB70E9468B41

Uniqueness

Uniqueness Score: -1.00%

Function 06F72083 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b685b72ce3bb540eae0d044da84e124215742a6d93255113b22ec030ed1cbb6d
Instruction ID: f97c9db7ea5f566ae4c9f7d0d1c3e0ed72aeceeab075b6d7f37a2445f56c3807
Opcode Fuzzy Hash: b685b72ce3bb540eae0d044da84e124215742a6d93255113b22ec030ed1cbb6d
Instruction Fuzzy Hash: B8318F31E102169BCB55CF65D89469EB7F2BF89300F14851AE906EB340EB71AD46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06F72090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 015fbcbafbdbecc899694ac98b218a7b57e02139cf3309683ae34a28371d834a
Instruction ID: 9d5f87068c55b472cf033cae6d367b675cf5fc383cddf5d734818cf7048efa94
Opcode Fuzzy Hash: 015fbcbafbdbecc899694ac98b218a7b57e02139cf3309683ae34a28371d834a
Instruction Fuzzy Hash: 68314B31E102059BCB59CFA5D89469EB7B6BF89300F10852AE906EB340EBB1ED46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06F73FB1 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c97aa9b121fec33f7b3058a8c5739244e78efbd036a42e9a155348bc3c5637
Instruction ID: 1fbdb1f089b1a43942e6dddfd9785408a4a0f62913d6e86bf14baca39859683f
Opcode Fuzzy Hash: 04c97aa9b121fec33f7b3058a8c5739244e78efbd036a42e9a155348bc3c5637
Instruction Fuzzy Hash: DD216B75E012059FDB00DF79D841AAEBBF9EB48750F008025E905EB390E735EC028BA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F73FC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0f146ab64ef20e7aaed8a3b3ebc27fe6449c55db8334dbe9920c5c2660daa7
Instruction ID: 184baf0bb49fa6451ff39a84171caa7bf26c9701726410d46ba61c25aafbe664
Opcode Fuzzy Hash: 3e0f146ab64ef20e7aaed8a3b3ebc27fe6449c55db8334dbe9920c5c2660daa7
Instruction Fuzzy Hash: 57217A76F002159FDB40CF69D880AAEBBF5EB48710F109026E909EB390E735ED018B95

Uniqueness

Uniqueness Score: -1.00%

Function 0188D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2895199991.000000000188D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0188D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_188d000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e5705493e4334ace27419b8d9330ccf3169ca1a61e2cfb56586d9812f31c79a
Instruction ID: 39eed1c1454a74904afc17794cd912373fe837f2f4bab8732e4a026492c342d3
Opcode Fuzzy Hash: 5e5705493e4334ace27419b8d9330ccf3169ca1a61e2cfb56586d9812f31c79a
Instruction Fuzzy Hash: BB210471504204DFDB15EF58D9C0B26BBA5FB84318F24C76DD9098B296C33AD947CA62

Uniqueness

Uniqueness Score: -1.00%

Function 06F7A3D0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c46b649218225b2b64f1872442ddf21be8ed81558da3b27070b258a3f43486bf
Instruction ID: d8921d6f70873d66a2925cae1c0e94c519e57f6e9fa974a6519d7ab9ad9b1183
Opcode Fuzzy Hash: c46b649218225b2b64f1872442ddf21be8ed81558da3b27070b258a3f43486bf
Instruction Fuzzy Hash: 3B112630F042511FDB519A7CE804BAE77D6FB8B310F404426F40ACB3A0DD26DD068782

Uniqueness

Uniqueness Score: -1.00%

Function 06F74308 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb7cac5923ea9ee8c2077a5eee3fde48d199e8fa652c076bacd1648c1a9a7e7d
Instruction ID: d243dd38be437a0df12a536a1f334aa4c9f589f05f6b34cb67b979b37c130536
Opcode Fuzzy Hash: cb7cac5923ea9ee8c2077a5eee3fde48d199e8fa652c076bacd1648c1a9a7e7d
Instruction Fuzzy Hash: BC11D230F041511FDBA1967DA415B6FB7EADBCA720F14893BE44EC7385E915CC024391

Uniqueness

Uniqueness Score: -1.00%

Function 06F740D0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19b5f364acb7a9b8e80e8a656ae4c5f8d3e0c7e43631ad767effc063fa151b8
Instruction ID: b09aa604b6d3a1411c8b9399c341a6055b3eb401c5fa5239d186c884bc13ed28
Opcode Fuzzy Hash: b19b5f364acb7a9b8e80e8a656ae4c5f8d3e0c7e43631ad767effc063fa151b8
Instruction Fuzzy Hash: 04117C32B041249FDB559668D8146AE72EAEBC8311F00853AD50AEB380EAB59C128B91

Uniqueness

Uniqueness Score: -1.00%

Function 06F7EE69 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e0af654b61e83b0b0563c2819f3bb1a2527aa7656414faf160bbfa6f006b717
Instruction ID: 3da22dfae20f03f8d6d1af3d3aa63b653d4872b55d00baf5e1cd2870d7710ebc
Opcode Fuzzy Hash: 2e0af654b61e83b0b0563c2819f3bb1a2527aa7656414faf160bbfa6f006b717
Instruction Fuzzy Hash: 76018F30F052152FCB61967DA854B6B7BDADBCA610F11886BF10ACB341EDA9DC4343A2

Uniqueness

Uniqueness Score: -1.00%

Function 06F75698 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16d708dbe90102d56a2ca1f8149c01a8fd10588c734b3610f840b13a429d054
Instruction ID: c560e08ac7bedcfac5e58e91d5c26b91b6e513fff4fabbde43d7f8ebc1eb1b22
Opcode Fuzzy Hash: b16d708dbe90102d56a2ca1f8149c01a8fd10588c734b3610f840b13a429d054
Instruction Fuzzy Hash: F411C035E042998FDF608EBA8C806BFFBB5FB86210F54887BD458D7142DA34D6058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F740BF Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beba363e51031e4871a295cd563d470165be4921243997046aa0d3caa040eb89
Instruction ID: 8c15e4ec8cd9130372405a3cc9ecbed0a1e4f464ec4758d23b20203a9e1bea4a
Opcode Fuzzy Hash: beba363e51031e4871a295cd563d470165be4921243997046aa0d3caa040eb89
Instruction Fuzzy Hash: 2401D432F142686BDB54A669DC14AEB37FFDBC8311F044136E50AD7384EEA59C1287E2

Uniqueness

Uniqueness Score: -1.00%

Function 06F73988 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589d6c053ee10b85675e17be0cc52291a0ad70c7d783a459bae4f529451d4419
Instruction ID: 62016672377d97c443f742c47104886ec21bd68e80f6a050ee3c377dd774d2c4
Opcode Fuzzy Hash: 589d6c053ee10b85675e17be0cc52291a0ad70c7d783a459bae4f529451d4419
Instruction Fuzzy Hash: 1A21E5B5D01259AFDB00DF9AD885ADEFFB4FB48310F10812AE518A7201D375A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0188D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2895199991.000000000188D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0188D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_188d000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 4058e45486e56061883ee09b8334a333154c80bef5d030bec7a4433af2443f2b
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 4B11A975504284CFDB12DF58D584B15BBA1FB84314F28C6AAD8498B697C33AD44ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 06F73990 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fce079b0b336242f2fd8962c42b0e9841b8b9c35e3a7bb6515a9446ba1936d6
Instruction ID: 57711b1e7480a3921f2b7c7b48a909d979a8963c7bd0dc36c99671b0351a61d2
Opcode Fuzzy Hash: 7fce079b0b336242f2fd8962c42b0e9841b8b9c35e3a7bb6515a9446ba1936d6
Instruction Fuzzy Hash: 6D11D3B5D01259AFCB00DF9AD885ACEFFB4FB48310F10812AE518B7200C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F74318 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc8374df05c28a04c4ab2ccb0b32a220d24dc9a67aeb56037efe41c3734b4c0
Instruction ID: 2146c5f83c8b2dab9ef99ae771f819010fafe27b6bead3290ea08881d6d8f3d2
Opcode Fuzzy Hash: ccc8374df05c28a04c4ab2ccb0b32a220d24dc9a67aeb56037efe41c3734b4c0
Instruction Fuzzy Hash: 80018C31F001111BDBA49A7EA415B2FF7DAEBC9724F24883AE50EC7384ED66DC424396

Uniqueness

Uniqueness Score: -1.00%

Function 06F7EE78 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260148ec2b0419e417443c35d38c96f518810acc4df04fd265ea61c32c834c24
Instruction ID: 5bf331fc38b11db89bf255c23751556821eb662fbaecd4d615efea1ba059e029
Opcode Fuzzy Hash: 260148ec2b0419e417443c35d38c96f518810acc4df04fd265ea61c32c834c24
Instruction Fuzzy Hash: 4201AF31F001145BDB659A6DA454B3FA2DAEBCA710F108C3BE50ECB340EEA5DC034386

Uniqueness

Uniqueness Score: -1.00%

Function 06F7A3E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65cededc068dfb88563bd6af480070a59ed0f6030768cde38edc3ce01ce34c00
Instruction ID: 5e175c58a16d0cb4f3eebdd21347645707ce1413ef3c3e63a3a259ece6c5a661
Opcode Fuzzy Hash: 65cededc068dfb88563bd6af480070a59ed0f6030768cde38edc3ce01ce34c00
Instruction Fuzzy Hash: F1018C30F005101FCB60AA6DE858B2EB3DAFB89715F108839E50ECB350EE66DC028B85

Uniqueness

Uniqueness Score: -1.00%

Function 06F76539 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea756f3d405232dcc0ac6ab45cecdb20fe62ac84f3125ef7afb7d948645d8d3
Instruction ID: 1bba88663e68d9827f9c213a8307156a82bcbb5f19a54619c842d7acb502b563
Opcode Fuzzy Hash: 9ea756f3d405232dcc0ac6ab45cecdb20fe62ac84f3125ef7afb7d948645d8d3
Instruction Fuzzy Hash: 51E09231D19358ABDF60DAB49D45B6B7FADD742604F208597E408C7143E176CA00E7D1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06F77768 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F77895
$^q, xrefs: 06F77C21
$^q, xrefs: 06F77CC0
$^q, xrefs: 06F77858
$^q, xrefs: 06F77CCA
$^q, xrefs: 06F77889
$^q, xrefs: 06F77CB4
$^q, xrefs: 06F77CD6
$^q, xrefs: 06F77864
$^q, xrefs: 06F77C15

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 3cf2949c0a666f6a7d77430290372ef3f056f4b462c4d636b66e66b118d58e6a
Instruction ID: fe4e1acd2fbff43d2f03be89d2b8c1b4a35e97c8b24176a541d009b0738df9ea
Opcode Fuzzy Hash: 3cf2949c0a666f6a7d77430290372ef3f056f4b462c4d636b66e66b118d58e6a
Instruction Fuzzy Hash: 4E121E30E10219CFDB64EF65C954AADB7F6BF88304F2485AAD409AB354DB309D85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06F7AA08 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F7ABBA
$^q, xrefs: 06F7AB0A
$^q, xrefs: 06F7AB59
$^q, xrefs: 06F7ABC6
$^q, xrefs: 06F7AB65
$^q, xrefs: 06F7AB90
$^q, xrefs: 06F7AB84
$^q, xrefs: 06F7AAFE

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 39ca5cd67a9aac04e36b96ce731b23591d77fc409ba6417e9c8cb02e06b5fac1
Instruction ID: 74c920e3076fb2165def1bc676cbb82c8257aec823d861a8e0fed5a252ce5ffd
Opcode Fuzzy Hash: 39ca5cd67a9aac04e36b96ce731b23591d77fc409ba6417e9c8cb02e06b5fac1
Instruction Fuzzy Hash: 25915D30E00209DFEB68DF68D994B6EB7B6FF84305F15842AE4069B294DB74DD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06F77168 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F7767C
.5vq, xrefs: 06F771C3
$^q, xrefs: 06F77670
$^q, xrefs: 06F77604
$^q, xrefs: 06F774B0
$^q, xrefs: 06F774A4
$^q, xrefs: 06F7744A

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 22581fb1e45dac1f66fde920bbb817861dce12551056d7fde80d32579bc9d937
Instruction ID: 592006b00d57801aa33a1b97a2c8d336db718dfce8037e4860a5fb05e9d3aa99
Opcode Fuzzy Hash: 22581fb1e45dac1f66fde920bbb817861dce12551056d7fde80d32579bc9d937
Instruction Fuzzy Hash: 60F19030B11209CFDB58EF68D594A6EB7B6FF88305F248569D4059B368CB35EC82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06F784A0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F7876B
$^q, xrefs: 06F78706
$^q, xrefs: 06F786FA
$^q, xrefs: 06F7875F

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: b77f9d14aed31f81da8ead173124c944c3cbaa388b78ccf0aa9f11d5daeb2be3
Instruction ID: b209b010fc79107cec2a0f6bf82a20c743ac60e8eddd06d9bf23afc6135c3955
Opcode Fuzzy Hash: b77f9d14aed31f81da8ead173124c944c3cbaa388b78ccf0aa9f11d5daeb2be3
Instruction Fuzzy Hash: 80B13930E002098FDB54DB68D58866EB7B6FF88355F24883AD41ADB354DB75DC82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06F788B8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 06F789AB
$^q, xrefs: 06F78937
$^q, xrefs: 06F78943
LR^q, xrefs: 06F789FA

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 14a9079b27649c9cd19311dea107c1facf7a0a7a1fe2ee01d32a71dd77fe9e2f
Instruction ID: feb5d3dd0b8f7c9635f1ce9690cc9964c263c43358218649fcf2e991cc6aeb1a
Opcode Fuzzy Hash: 14a9079b27649c9cd19311dea107c1facf7a0a7a1fe2ee01d32a71dd77fe9e2f
Instruction Fuzzy Hash: 9D51C330B00206DFDB58DB28D948A6AB7F6FF88704F14856AE415DF394DA31EC45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 06F7AD90 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F7AEC1
$^q, xrefs: 06F7AF6C
$^q, xrefs: 06F7AF43
$^q, xrefs: 06F7AF14

Memory Dump Source

Source File: 00000007.00000002.2904315763.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_uaAWu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: ac36e5c9171586b6827f46faa516f87cb2c47c0b031501d43478fa4fcc66b0ba
Instruction ID: a4634079ed0d29e8e98f76bbe17f9a4ba1d16dc5ff5ba7322a0e660a77543887
Opcode Fuzzy Hash: ac36e5c9171586b6827f46faa516f87cb2c47c0b031501d43478fa4fcc66b0ba
Instruction Fuzzy Hash: 91518E30E012099FDFA5DB68E9806AEB7B6FB88311F15856BE405DB354DB34DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Leoch-Purchase Order.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe

C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
Leoch-Purchase Order.exe

Function 00FC0000 Relevance: 13.9, APIs: 9, Instructions: 363
threadinjectionmemoryCOMMON

Function 00FC0054 Relevance: 13.8, APIs: 9, Instructions: 322
threadinjectionprocessCOMMON

Function 00F405B4 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Function 00F40FE7 Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Function 00F40CE0 Relevance: 1.3, APIs: 1, Instructions: 47
memoryCOMMON

Function 00F40CDF Relevance: 1.3, APIs: 1, Instructions: 47
memoryCOMMON

Function 00FC0420 Relevance: 1.3, APIs: 1, Instructions: 15
memoryCOMMON

Function 00CED6CD Relevance: .0, Instructions: 45
COMMON

Function 066F3578 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Function 066F7E50 Relevance: 3.0, Strings: 2, Instructions: 478
COMMON

Function 0164EB00 Relevance: 2.8, Strings: 2, Instructions: 337
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre