Edit tour

Windows Analysis Report
Quarantined Messages (3).zip

Overview

General Information

Sample name:	Quarantined Messages (3).zip
Analysis ID:	1428644
MD5:	3e900525c6df4fa47db5ada47e7b3ff1
SHA1:	7da26dddfac0fa7f36c2f55693f35b7bbe7a5fbb
SHA256:	2d0db26cb0babb7e08ddcccafcb5563b3fbaa5a07448287611c952b5dd79de4c
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

System is w10x64

unarchiver.exe (PID: 7076 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Quarantined Messages (3).zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 7164 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\5en31z4t.51p" "C:\Users\user\Desktop\Quarantined Messages (3).zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: classification engine

Classification label: clean2.winZIP@4/1@0/0

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Quarantined Messages (3).zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\5en31z4t.51p" "C:\Users\user\Desktop\Quarantined Messages (3).zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\5en31z4t.51p" "C:\Users\user\Desktop\Quarantined Messages (3).zip"	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 15B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 31C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 51C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 477			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 9493			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 7140	Thread sleep count: 477 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 7140	Thread sleep time: -238500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 7140	Thread sleep count: 9493 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 7140	Thread sleep time: -4746500s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_0150B1D6 GetSystemInfo,

0_2_0150B1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\5en31z4t.51p" "C:\Users\user\Desktop\Quarantined Messages (3).zip"

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	2 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428644
Start date and time:	2024-04-19 10:54:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Quarantined Messages (3).zip
Detection:	CLEAN
Classification:	clean2.winZIP@4/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 47 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .zip Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:55:33	API Interceptor	4017375x Sleep call for process: unarchiver.exe modified

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3433
Entropy (8bit):	5.035340095435471
Encrypted:	false
SSDEEP:	48:5H8cHNQHy23SHyGbMHyGMHyGpaHyGjDHyGMHyGpNcHyGbOHyGocHyG0HyG5FHyGR:WBSOlHo6AdvEJ
MD5:	6ECC6B0F9D115BE6DC6D6168C1D6DE0E
SHA1:	2CE714953407C998863F44271B5AE5634679203A
SHA-256:	F77D5510D2B14EEF1BC3EAA5636046CAE0D1F12CA2AF93D19ADD571FA5FDFA46
SHA-512:	3615F16F1CEE4B2E13AFDF932D8E8DBA6551AB15C99904F96C9EC64D995552C7D6703996798FF226B4B921E6059B6802C9C2DDB1309ECE23BC8D93FFE80D9A49
Malicious:	false
Reputation:	low
Preview:	04/19/2024 10:54 AM: Unpack: C:\Users\user\Desktop\Quarantined Messages (3).zip..04/19/2024 10:54 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\5en31z4t.51p..04/19/2024 10:54 AM: Received from standard error: ERROR: Wrong password : fb9cc81a-9f3e-45e1-75f5-08dc600702bc\be53bdb1-f39a-a2a2-c66b-e47c410563cb.eml..04/19/2024 10:54 AM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..04/19/2024 10:54 AM: Received from standard out: ..04/19/2024 10:54 AM: Received from standard out: Scanning the drive for archives:..04/19/2024 10:54 AM: Received from standard out: 1 file, 791623 bytes (774 KiB)..04/19/2024 10:54 AM: Received from standard out: ..04/19/2024 10:54 AM: Received from standard out: Extracting archive: C:\Users\user\Desktop\Quarantined Messages (3).zip..04/19/2024 10:54 AM: Received from standard out: --..04/19/2024 10:54 AM: Received from standard out: Path = C:\Users\user\Desktop\Quarantined Messages (3).zip..04/19/2024 10:54

Static File Info

General

File type:	Zip archive data, at least v4.5 to extract, compression method=deflate
Entropy (8bit):	7.999766318857523
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	Quarantined Messages (3).zip
File size:	791'623 bytes
MD5:	3e900525c6df4fa47db5ada47e7b3ff1
SHA1:	7da26dddfac0fa7f36c2f55693f35b7bbe7a5fbb
SHA256:	2d0db26cb0babb7e08ddcccafcb5563b3fbaa5a07448287611c952b5dd79de4c
SHA512:	c630868c0b2633034ad38b946c223422ab9b2837d800d90ca13bf0c91b1a92253830c6c9e9b845d6c1faf7f8b9de0ddcaac7a335a0dfc94592babe3da043640b
SSDEEP:	12288:uWGrkviMYNpYaSDPZG6ma/C26E370UEjnQaynu6Y0Cqplj3Kil+i:udsiMYNpZSnma/C237uk7uj0Cq7Xl+i
TLSH:	08F4335F53A52428818161B6D49CBA4BC2BB7C8B0066F176BF2781BB2E45E7FF1DC181
File Content Preview:	PK..-......F.X..K.........M...fb9cc81a-9f3e-45e1-75f5-08dc600702bc/be53bdb1-f39a-a2a2-c66b-e47c410563cb.eml...................."...SC..1...t.5...eD-.3o..........i.....2...4..h...>uC...wY2.97.......:M.8.....f.....~:....U".x....0....U.D.'...>.n..,u.te..-..,

File Icon


Icon Hash:	90cececece8e8eb0

Target ID:	0
Start time:	10:54:58
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Quarantined Messages (3).zip"
Imagebase:	0xbf0000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	10:54:58
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\5en31z4t.51p" "C:\Users\user\Desktop\Quarantined Messages (3).zip"
Imagebase:	0x7a0000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:54:58
Start date:	19/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	22.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.5%
Total number of Nodes:	73
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0150B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0150B208

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 45f13522e377ff2fe76cacbbc4639d39af72bc276cd8d3ec22432aeb6dc165ce
Instruction ID: 74c8f528406a23303ab291588b38cd28fb7b27725a24fc3a3e79bf76fb05f53d
Opcode Fuzzy Hash: 45f13522e377ff2fe76cacbbc4639d39af72bc276cd8d3ec22432aeb6dc165ce
Instruction Fuzzy Hash: 7C012634900240DFDB21CF49D984769FBE4EF44220F08C8AADD089F756D278A408CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 0150B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0150B2F3

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1f12a094e8c01eb214eae22f70a8b39675500cbd3f707015ebdb29788c268b34
Instruction ID: 229cdf3cdd2367069ca8eb61a89aecabfd8612dbffc7265e20a2c66928e179ca
Opcode Fuzzy Hash: 1f12a094e8c01eb214eae22f70a8b39675500cbd3f707015ebdb29788c268b34
Instruction Fuzzy Hash: 6931B471404344AFE7228B65DC44FAABFBCEF55210F04849AE985CB562D335E919CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0150AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0150ADA7

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 616eb7d675952254d06dd55e01babf7cf0d97e627b0aceca5ab0d16bfbb89a3a
Instruction ID: 00a7b424ed38ed4d5c9028d1566430fe15f7fe20daabd7b13b49d4b4b08eb092
Opcode Fuzzy Hash: 616eb7d675952254d06dd55e01babf7cf0d97e627b0aceca5ab0d16bfbb89a3a
Instruction Fuzzy Hash: 0431C472504344AFE7228F64CC44FA7BFACEF05210F04889AF985DB652D224E819CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0150AB76 Relevance: 1.6, APIs: 1, Instructions: 93
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0150AC36

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 13d40ac49d8883db79f4472fe28dc170d7f777e66f1c5f87d874c3e5fc5805e7
Instruction ID: ae08290a67fd0b5c4ff455e6fb620d946b2e664c4c7d59c29cc1ad5e8e193a85
Opcode Fuzzy Hash: 13d40ac49d8883db79f4472fe28dc170d7f777e66f1c5f87d874c3e5fc5805e7
Instruction Fuzzy Hash: E7317E7150E3C06FD3138B718C65AA2BFB4AF47610F1A84CBD8C4DF6A3D2696919C762

Uniqueness

Uniqueness Score: -1.00%

Function 0150A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0150A67D

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7a53e8e898e12814be6afd61a26229d57715cd37901642390ae1c07525b45e73
Instruction ID: 9863df6935357f1ee6eca19209eb14d06733553d6b3bf1dcc322508e94000034
Opcode Fuzzy Hash: 7a53e8e898e12814be6afd61a26229d57715cd37901642390ae1c07525b45e73
Instruction Fuzzy Hash: C8317E71505340AFE722CF65DC44F66BBF8EF45220F08889AE9858B692D375E809DB71

Uniqueness

Uniqueness Score: -1.00%

Function 0150A120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0150A1C2

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: a40e734bc51d0f9dbd6baab1eb02ecaf5b2ed85673ee3e525f2227118f68e47c
Instruction ID: 41c2667a0b6c23f7ee4114b7af6ec4d1b2869697eea956169dce66577cb2b6de
Opcode Fuzzy Hash: a40e734bc51d0f9dbd6baab1eb02ecaf5b2ed85673ee3e525f2227118f68e47c
Instruction Fuzzy Hash: AC21B27150D3C06FD3128B258C51BA6BFB4EF87610F1945CBD8C4DF693D225A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0150A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,8C4BE639,00000000,00000000,00000000,00000000), ref: 0150A40C

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 52d479dc7249619f762e7cf0a09f20cec5080b2a325b2682b4063dcfd1559f12
Instruction ID: 61f62ded4b2c4a4453f39f8225c5991ba0a2d6c1ae867d975a3c0e02e5f1e0bc
Opcode Fuzzy Hash: 52d479dc7249619f762e7cf0a09f20cec5080b2a325b2682b4063dcfd1559f12
Instruction Fuzzy Hash: 62217A76504740AFE722CF55DC84FA6BBF8EF45610F08849AE985CB292D364E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0150B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0150B2F3

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ed0b0bb5ff561ebfbd88587acdac4ceda0c29c47b5532dd6cce6949568ebdb62
Instruction ID: d13a1310f6d3bce7a89f5b704a020f866e55b9d54540df80a4ee1adb09eef53c
Opcode Fuzzy Hash: ed0b0bb5ff561ebfbd88587acdac4ceda0c29c47b5532dd6cce6949568ebdb62
Instruction Fuzzy Hash: DF21B072500204AFEB228F65DC84FAABBECEF14214F04886AED85DB655D735E5088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0150AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0150ADA7

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a4ed74b74b3413b3d675669233df6e3866d700abef6a98912a96b4699727aa4d
Instruction ID: e239e862f48660919c250be4a939fb20f2c88a58fa9e604b76acad1f8844e4a4
Opcode Fuzzy Hash: a4ed74b74b3413b3d675669233df6e3866d700abef6a98912a96b4699727aa4d
Instruction Fuzzy Hash: BF21B072500304AFEB228F64DC44FABFBECEF14224F04886AE945DBA55D735E5488BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0150A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,8C4BE639,00000000,00000000,00000000,00000000), ref: 0150A8DE

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a7448e5b0b6e3a47907588d07516c2d5455733411b48ac69478fc72f547fd30b
Instruction ID: 8091db869224645a0a31c88c398dccae9753dcea2df6d708d96cc908dc11b89d
Opcode Fuzzy Hash: a7448e5b0b6e3a47907588d07516c2d5455733411b48ac69478fc72f547fd30b
Instruction Fuzzy Hash: 3621C4715083806FE7238B54DC44FA6BFB8EF46614F0888DAE984DF657D234A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 0150A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,8C4BE639,00000000,00000000,00000000,00000000), ref: 0150A9C1

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: cff0625347c6b5d1c6fdbe5599236b21f6d74574df57bd8ddcd560cfa83d4939
Instruction ID: 2a65191021501adb8e2d0b72ea4257ba4684134080c46495b4039cfab6445a82
Opcode Fuzzy Hash: cff0625347c6b5d1c6fdbe5599236b21f6d74574df57bd8ddcd560cfa83d4939
Instruction Fuzzy Hash: 2E21B271409380AFDB22CF55DC44F96BFB8EF46314F08889AE9849F256C375A548CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0150A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0150A67D

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fd943bb25920b973a96397bc67542e230cb12d8f97fb986e8db48f29305190f3
Instruction ID: 9f6bba513874fd6677c4fbac7bf28a50d376aed06bfb6a14082f3e8cf952e457
Opcode Fuzzy Hash: fd943bb25920b973a96397bc67542e230cb12d8f97fb986e8db48f29305190f3
Instruction Fuzzy Hash: 8D217C75A00300AFE722CF69DD45F66FBE8EF48210F048869E9859B696D375E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0150A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,8C4BE639,00000000,00000000,00000000,00000000), ref: 0150A815

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: a3336b10cddcaea6dcf344b20fcda3a9ed42085af0ba0c7039dbcaecddaaedb9
Instruction ID: c7ede4c18f8fdb5f900ec582b5331b3f33318f044c7c575035c8a405ff4d0e51
Opcode Fuzzy Hash: a3336b10cddcaea6dcf344b20fcda3a9ed42085af0ba0c7039dbcaecddaaedb9
Instruction Fuzzy Hash: 4121D5B54083806FE7138B65DC44FA6BFB8EF56314F0880DAE9848F297D268A909D775

Uniqueness

Uniqueness Score: -1.00%

Function 0150A6D4 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0150A748

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0314b2257d7c9cee0ed936d5079d047f944ce80269d07c911d91c6f3416d9001
Instruction ID: 0a0d51756cdfb7d768c57bae074e885efd35b8d6337a82f61adbf727338d0eab
Opcode Fuzzy Hash: 0314b2257d7c9cee0ed936d5079d047f944ce80269d07c911d91c6f3416d9001
Instruction Fuzzy Hash: 9D2192B59093C09FD7138B25DC95652BFB8EF07220F0984DADD858F6A3D264A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0150AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0150AA8B

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: f9bc33c06859f4ffae0dbc1a81b555e064c19e31a5732df2becf71718dfb62b8
Instruction ID: c64bcc56655269590081396d23523f1feade0465d4a9abe03fcaa8fd00922477
Opcode Fuzzy Hash: f9bc33c06859f4ffae0dbc1a81b555e064c19e31a5732df2becf71718dfb62b8
Instruction Fuzzy Hash: 4621D0715083C05FEB12CB69DC55B96BFE8AF06310F0D84EAE884CF293D264E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0150A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,8C4BE639,00000000,00000000,00000000,00000000), ref: 0150A40C

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cf503871699d7d7b1ffe4de1f0b93b6425d2a77ea515476cb3e59461ce147586
Instruction ID: 4741e306db8fdca659099a3eb0de90a33b4f64add4111e2d5d7085289e6c9ffe
Opcode Fuzzy Hash: cf503871699d7d7b1ffe4de1f0b93b6425d2a77ea515476cb3e59461ce147586
Instruction Fuzzy Hash: 9D21AE75600300AFE722CE59CC84FA6F7ECEF04610F08846AE945CB692D374E809CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0150A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,8C4BE639,00000000,00000000,00000000,00000000), ref: 0150A9C1

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 81a7a1caa983aa1756941c22b6ad5c6b9b2063f5b13587ac8acd26f2cc825f0b
Instruction ID: 2be5b190dce9ca6e19bbd5aae766241c05c9506fdc437a7dd0759172a1be39cd
Opcode Fuzzy Hash: 81a7a1caa983aa1756941c22b6ad5c6b9b2063f5b13587ac8acd26f2cc825f0b
Instruction Fuzzy Hash: 6411D071500200AFEB22CF55DC44FAAFBE8EF54324F04886AE9459F695C374A448CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0150A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,8C4BE639,00000000,00000000,00000000,00000000), ref: 0150A8DE

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 88cc66f8cec5bda3f8c1a3537a21fc23a51c5141c916275994b2ac7e7b6e7c73
Instruction ID: d15df56ba26800111f056477d1c860a77c0787782638227f7f7b79b8cac03201
Opcode Fuzzy Hash: 88cc66f8cec5bda3f8c1a3537a21fc23a51c5141c916275994b2ac7e7b6e7c73
Instruction Fuzzy Hash: 4911BF71500300AEEB22CF94DC44FAAFBE8EF54224F04886AE9459F685D374A5088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0150A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0150A30C

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: f3756dc76e0a2bea5d874e0e21a6e4f58f77cf72f09d440dbf1215c6c2e85dcf
Instruction ID: c3f8a4008b6935c037b7211bc47b927312dad95cd27647f2349eec0dc8130aec
Opcode Fuzzy Hash: f3756dc76e0a2bea5d874e0e21a6e4f58f77cf72f09d440dbf1215c6c2e85dcf
Instruction Fuzzy Hash: E51191754093C09FD7238B65DC55A52BFB4EF47220F0980DBD9848F2A3D265A809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0150A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,8C4BE639,00000000,00000000,00000000,00000000), ref: 0150A815

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: ecf5689df69bf9fec4f7d410dcdc57639b20b688bd24943c39b0f2b73d36ac82
Instruction ID: 29b9131f51d14e29a5241de7dc90c7ca66ba1f12dbae2e7d254282a8b1e72e9f
Opcode Fuzzy Hash: ecf5689df69bf9fec4f7d410dcdc57639b20b688bd24943c39b0f2b73d36ac82
Instruction Fuzzy Hash: 1C012271500300AEE721CB55DC84FAAFBE8EF54624F04C4A6ED449F786D378E908CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 0150AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0150AA8B

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 7590060ac1af2e96addd3108e8da6bb3cf0ae936d7ae1bdc952774f92448182f
Instruction ID: 6fdd44789d864bf34502e2199ad47bcc19be40b5dd589a3dd036cee843c70155
Opcode Fuzzy Hash: 7590060ac1af2e96addd3108e8da6bb3cf0ae936d7ae1bdc952774f92448182f
Instruction Fuzzy Hash: 3C1182716002409FEB11CF59D984B5AFBD8EF44210F08C4AADD05CF6C6E274E944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0150AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0150AFE4

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 60c0c62d42a65214edf5fa48143ce9efb750d6ae928ecfc717cfcf64e15852ce
Instruction ID: d4d3076c877ccfb1c9af3140789e54c8c3b96a7faa002ad0cc819050e2514530
Opcode Fuzzy Hash: 60c0c62d42a65214edf5fa48143ce9efb750d6ae928ecfc717cfcf64e15852ce
Instruction Fuzzy Hash: 5911CE755093C09FD712CB69CC85A52BFF4EF06220F0984DAE8858B2A3D234A848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0150B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0150B208

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: b74e2f095c50b3c58175ee316d413d3a2b5681cbba6a442b874458aa5ddc15d2
Instruction ID: fd586151e5d026520c6143aa99b70494ea616434688169989d044c647deb7302
Opcode Fuzzy Hash: b74e2f095c50b3c58175ee316d413d3a2b5681cbba6a442b874458aa5ddc15d2
Instruction Fuzzy Hash: E9119E754093809FDB12CF55DC84B56BFB4EF46220F0884DAED849F252D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0150A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0150A1C2

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 18acbbce8f51d952a942e6c9cc1c9e0c996aa3580a2654abd35acb086a58f233
Instruction ID: 1d7d6803f5c86fd74e77f9357f28ef7e49f047d703bab7c6b95b1698268a5cea
Opcode Fuzzy Hash: 18acbbce8f51d952a942e6c9cc1c9e0c996aa3580a2654abd35acb086a58f233
Instruction Fuzzy Hash: C2017171A00200ABD310DF16DC45B66FBE8EB88A20F14855AED489BB45E735F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0150ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0150AC36

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 19eb6d3286bccbac572e1c23a32e3ef0832281657509f9fdd01a262900968eb3
Instruction ID: 85e1c586c42be6eddb34155189da77fccd21a232ca1371ac7f4baad8627e33bc
Opcode Fuzzy Hash: 19eb6d3286bccbac572e1c23a32e3ef0832281657509f9fdd01a262900968eb3
Instruction Fuzzy Hash: FD01B171A00200ABD310DF16CC45B66FBE8FB88A20F14811AEC489BB45E735F925CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0150A716 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0150A748

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e36475381e86d793b929121aeed7387d389319810d804a4a7009a0037685f94e
Instruction ID: b27a4b2524436b89f912730108fb7bdd4acd42cdf0e1c592c5927e210a348259
Opcode Fuzzy Hash: e36475381e86d793b929121aeed7387d389319810d804a4a7009a0037685f94e
Instruction Fuzzy Hash: 9601D4759003408FDB11CF59D984766FBE4EF44220F08C4AADC068F796D278E448CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0150AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0150AFE4

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 511f77ea36e67d0d902a2be5a96cf85631e307b8fddf5aaeab5e56ed44b2f28f
Instruction ID: dce701ffd429a41b46d8ae235fe036429f5d1c82183bbdb9285ba112582ca19d
Opcode Fuzzy Hash: 511f77ea36e67d0d902a2be5a96cf85631e307b8fddf5aaeab5e56ed44b2f28f
Instruction Fuzzy Hash: A501F4795003409FDB22CF19D885766FBE4EF04220F08C4AADD058F792D275E848CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 0150A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0150A30C

Memory Dump Source

Source File: 00000000.00000002.4095809654.000000000150A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7b03a8afde240e63325aee783a5b8916dbdd51094855a306ade36a26221aeed5
Instruction ID: e4a9435bdccf1b5ac7df31184f20d97ac67a1ac40696e996f2e4f7419dbc0603
Opcode Fuzzy Hash: 7b03a8afde240e63325aee783a5b8916dbdd51094855a306ade36a26221aeed5
Instruction Fuzzy Hash: 87F0AF35904340DFDB21CF49D985BA6FBE0EF44620F08C4AADD094F796D3B9A458CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 0154026D Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095904008.0000000001540000.00000040.00000020.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f1b489c9c805b4c69786d89a1651864d91fc47523a8e5536437d79c6dab752
Instruction ID: fc0199034518bf28ab3ead0b70213028503778f74a5c4cdbb5eb7ebc5cd6d884
Opcode Fuzzy Hash: 41f1b489c9c805b4c69786d89a1651864d91fc47523a8e5536437d79c6dab752
Instruction Fuzzy Hash: 5031DDA294E3C04FD7534B349C64195BFB0AE93128B1E80DBD485CF5E3E16D480ACB63

Uniqueness

Uniqueness Score: -1.00%

Function 053B02C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4097597234.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac3ef7cf36f15e6db4c6c923dd77a9feae113de49a74cdb4234a488485d9845f
Instruction ID: da5eaca1075ea7f66f68786c6e6e0a065d9c09791033446ab80ae067d92c8019
Opcode Fuzzy Hash: ac3ef7cf36f15e6db4c6c923dd77a9feae113de49a74cdb4234a488485d9845f
Instruction Fuzzy Hash: D7B16E34B01210CFCB19DB76ED59A5E7BF2FF88250B10816ADA069B354DBB89C94CB91

Uniqueness

Uniqueness Score: -1.00%

Function 053B0799 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4097597234.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d31e0b5efdcb8841d47087d46f61e2eb3dea047fc4d5e9c00bf87b88ee57c13e
Instruction ID: 3f19725545ab8696f7a260ed96ede862d5b50b08f9e000303ae54f5b4230ee93
Opcode Fuzzy Hash: d31e0b5efdcb8841d47087d46f61e2eb3dea047fc4d5e9c00bf87b88ee57c13e
Instruction Fuzzy Hash: 54A17D30B002018FDB19DBB9D8557BE77B3FB84308F148469D9169B794DFB89C458B91

Uniqueness

Uniqueness Score: -1.00%

Function 053B0C99 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4097597234.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2759c5c5f5369b60aeb0511e2601f3fdf467e2802998a1a2c2abff211f99c1
Instruction ID: 755385af0ead525992589a5cc8b17287ebab911e7dabe8befaea325d42236a2b
Opcode Fuzzy Hash: 6e2759c5c5f5369b60aeb0511e2601f3fdf467e2802998a1a2c2abff211f99c1
Instruction Fuzzy Hash: A1210730B002048FE719DB7989516AFBAEBABC5204B44443CD546DB380DF7EAD428B92

Uniqueness

Uniqueness Score: -1.00%

Function 053B0CA8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4097597234.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da146c0551f1a22ad1fc381264d9b749561b67b60c819e72cd050f3583e7961
Instruction ID: 84e4e59c8eb02cd8400723f09f64f05048231bec74928d4027e8214b2337d469
Opcode Fuzzy Hash: 4da146c0551f1a22ad1fc381264d9b749561b67b60c819e72cd050f3583e7961
Instruction Fuzzy Hash: 7721EA30B007048BD715DB7AC5516AFBBEBAFC5104B44883CC146DB784DF79AD068792

Uniqueness

Uniqueness Score: -1.00%

Function 053B0B8F Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4097597234.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73abeffa12b45aab0d49ce3fcdbbf27648b0acddbecb7cb72cadacc1f3744bb5
Instruction ID: 2d357ebd30b9d949f337b18591dbdf2ed18dbc25880d83ad72029f254ecc5421
Opcode Fuzzy Hash: 73abeffa12b45aab0d49ce3fcdbbf27648b0acddbecb7cb72cadacc1f3744bb5
Instruction Fuzzy Hash: 3511B131A20118AFCB08CBB4DC45CDF7BF6EB88314B144179E605E7264DB799C068780

Uniqueness

Uniqueness Score: -1.00%

Function 053B0BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4097597234.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a7ecb3673523ae2d8ccbd25b19df5694c0736db4a5b8701b4f8a3375a504e6
Instruction ID: 7447f4469c916b60a123ea85f3bd4b8ffac24d3c313f61f372ed66c3848ad45b
Opcode Fuzzy Hash: a3a7ecb3673523ae2d8ccbd25b19df5694c0736db4a5b8701b4f8a3375a504e6
Instruction Fuzzy Hash: 95118C32A10118AF8B149BB4DC459DF7BF6EB88214B144579E606E7270DF79AC0A8BD1

Uniqueness

Uniqueness Score: -1.00%

Function 01540810 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095904008.0000000001540000.00000040.00000020.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f1ff156f12270362511ebcf4ac2eabebdc33acab7f937eae1bb9cc5febbbf9f
Instruction ID: 06524bc7cc64be1b6a498143acb531bc2cda2ce030572feeaa96ea3f798555dd
Opcode Fuzzy Hash: 6f1ff156f12270362511ebcf4ac2eabebdc33acab7f937eae1bb9cc5febbbf9f
Instruction Fuzzy Hash: 6D0184B64096406FD300CB45EC41C57FBE8DF96524F04C46AED489B601D231A9188BA2

Uniqueness

Uniqueness Score: -1.00%

Function 015405E7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095904008.0000000001540000.00000040.00000020.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea916e0fbc8044ac29f71a0ef3013e9c2382562fa8f38cdcf9394658a262e94
Instruction ID: aa65dc7df6cb2aae163ab0ac01223a95e381378f57acb45cdc57d11d7df84bf9
Opcode Fuzzy Hash: 3ea916e0fbc8044ac29f71a0ef3013e9c2382562fa8f38cdcf9394658a262e94
Instruction Fuzzy Hash: FEF049B65097805FD7118F059C40863FFA8DB86620749C4AFEC499B752D235B909CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 0154082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095904008.0000000001540000.00000040.00000020.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14595f6d31441d4e64b96f5f8b2fcfcbbd0060ea6a0ef04edc4fd45684fb3bce
Instruction ID: eca232974ebeb2cde65187ff8ae35f4b2b9ef08e23b36a0d6427f9532d8529be
Opcode Fuzzy Hash: 14595f6d31441d4e64b96f5f8b2fcfcbbd0060ea6a0ef04edc4fd45684fb3bce
Instruction Fuzzy Hash: F3F082B2905204ABD300DF49ED45866F7ECDFD4521F04C56AED088B700E276A9198AF7

Uniqueness

Uniqueness Score: -1.00%

Function 053B0C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4097597234.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f856da16e5f200c203aaefd2d57180a9a1b290d43f6bebacb6ce32618c85eaae
Instruction ID: e090e6010e04aadaf1208491377ed38a083c07007fee864a4a4cc79cd454d7ce
Opcode Fuzzy Hash: f856da16e5f200c203aaefd2d57180a9a1b290d43f6bebacb6ce32618c85eaae
Instruction Fuzzy Hash: 0CE0DF31F243142FCB48DFB9985159EBFEAEB85264B5545BEC008DB351EF388C028B81

Uniqueness

Uniqueness Score: -1.00%

Function 01540606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095904008.0000000001540000.00000040.00000020.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac675ea3c2f771579361688ba90d24097cc80443b614bbc81c7fa68cdb466fc
Instruction ID: 98bbae8fd80345b8d232a100bfa3ff7cd779ddcef0d7597609c068caa11f256f
Opcode Fuzzy Hash: 4ac675ea3c2f771579361688ba90d24097cc80443b614bbc81c7fa68cdb466fc
Instruction Fuzzy Hash: 8DE092B6A006408B9750CF0AEC41452F7D8EB84630B08C47FDC0D8B701E235B909CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 053B0C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4097597234.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ebde3859744bc0437ec7390efec086f69d2c043989ae3fadb51594415a5e613
Instruction ID: 985d91742692199d4de11956c9953944c0b790d3c92eec257c44e7f6beda00d6
Opcode Fuzzy Hash: 8ebde3859744bc0437ec7390efec086f69d2c043989ae3fadb51594415a5e613
Instruction Fuzzy Hash: FAD01231F042182B8B48EFF9985159EBAEA9B84154B55447D9009D7340EE399C0187D1

Uniqueness

Uniqueness Score: -1.00%

Function 053B0DD1 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4097597234.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0649136811401a6f6185f432ea9cfe5bce8cb3c1509612ef7366ebb25c63859
Instruction ID: 24155dd6f70cb8a8caeef7058a426c2883acc76372f33014d9c4223f56304577
Opcode Fuzzy Hash: f0649136811401a6f6185f432ea9cfe5bce8cb3c1509612ef7366ebb25c63859
Instruction Fuzzy Hash: 8BE012302903008FD70D9774D91A9E73BA5AB91324F4581AA90049B562D7BDCC86C750

Uniqueness

Uniqueness Score: -1.00%

Function 053B0E09 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4097597234.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e8b4aa5cc200db2cfc6054ddeccbfaaf6456b963ffb8c29b118055989c5915d
Instruction ID: d53181d6d3145c380f6a56da68b3ebeda284c6e17f1405549038b3eb85139a0d
Opcode Fuzzy Hash: 2e8b4aa5cc200db2cfc6054ddeccbfaaf6456b963ffb8c29b118055989c5915d
Instruction Fuzzy Hash: 54E0C2302903008FDB0987B4D81A9E63BA0AB81320F4581A890044B562C7BCCCC2C741

Uniqueness

Uniqueness Score: -1.00%

Function 015023F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095792363.0000000001502000.00000040.00000800.00020000.00000000.sdmp, Offset: 01502000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1502000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2298747550c3a46d8bbff0371af62921bc6c53c599ad1b4a2600534d8b9b148
Instruction ID: 231c718484cb5ed0b786f2d4d70cec2e3cec2255fb5ebce47e6d92a410d2d392
Opcode Fuzzy Hash: b2298747550c3a46d8bbff0371af62921bc6c53c599ad1b4a2600534d8b9b148
Instruction Fuzzy Hash: F3D05E792056D14FE3279A1CC6A8B993BE4BB55714F4B48F9AC00CF7A3CB68D581D600

Uniqueness

Uniqueness Score: -1.00%

Function 015023BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095792363.0000000001502000.00000040.00000800.00020000.00000000.sdmp, Offset: 01502000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1502000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3850322a9bf7c0977d44663cf6115ca40fb7fd971ae894870c9b71f5e4f5dc80
Instruction ID: dad3c0bddb834f402de2d5f9a4066582706caeb4110760398e37346088819087
Opcode Fuzzy Hash: 3850322a9bf7c0977d44663cf6115ca40fb7fd971ae894870c9b71f5e4f5dc80
Instruction Fuzzy Hash: 92D05E342006814BDB26DE0CD6D8F9D3BD8BB45714F0648E8AC108F7A2C7B4D8C0DA00

Uniqueness

Uniqueness Score: -1.00%

Function 053B0E18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4097597234.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8be8fd2e00650c85ec0e9a6e6215c511a9df97bc8f7e95207f38c8886108a29
Instruction ID: 4bab5881e9a4491378abf5f8968909135801c2f7a0c8344536988a71ec0bd962
Opcode Fuzzy Hash: f8be8fd2e00650c85ec0e9a6e6215c511a9df97bc8f7e95207f38c8886108a29
Instruction Fuzzy Hash: 11C012303003048BD7089778D91DE6A7B9567C4704F85C16485091B651CBB8EC80C684

Uniqueness

Uniqueness Score: -1.00%

Function 053B0DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4097597234.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11af35dcbfba0db011c2086f4e812b6272120e1d9ade328a719873c1b8d276d5
Instruction ID: 798137a072dd6b621e90e1f9ba36281944dbbcd78536e8102402e9ac0c19c4ee
Opcode Fuzzy Hash: 11af35dcbfba0db011c2086f4e812b6272120e1d9ade328a719873c1b8d276d5
Instruction Fuzzy Hash: CFC012303002048BD7089778D91DE67779667C4704F45C16485091B651DBB8EC40C6C4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quarantined Messages (3).zip

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: unarchiver.exePID: 7076, Parent PID: 2580

General

Chronological Activities

Analysis Process: 7za.exePID: 7164, Parent PID: 7076

General

Chronological Activities

Analysis Process: conhost.exePID: 7152, Parent PID: 7164

General

Chronological Activities

Disassembly

Analysis Process: unarchiver.exePID: 7076, Parent PID: 2580COMMON

Execution Graph

Graph

Callgraph

Executed Functions

Function 0150B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Function 0150B246 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Windows Analysis Report
Quarantined Messages (3).zip

Function 0150B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 0150AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0150AB76 Relevance: 1.6, APIs: 1, Instructions: 93
pipeCOMMON

Function 0150A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Function 0150A120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Function 0150A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Function 0150B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0150AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0150A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Function 0150A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Function 0150A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 0150A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Function 0150A6D4 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 0150AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 0150A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON