Edit tour

Windows Analysis Report
Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar

Overview

General Information

Sample name:	Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar (renamed file extension from bz to rar)
Original sample name:	Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.bz
Analysis ID:	1430962
MD5:	89e823923831b6d44bd82f0bcbe83365
SHA1:	6de8f1e77b8fcd88088fa0ea829d971d67e729d4
SHA256:	d7ea3d3adf5514487b2636533ca0fd0e858abd5ff3b4256d9cc7f30b779a22e3
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

System is w10x64

unarchiver.exe (PID: 5656 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 4368 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\0hfur4z5.wan" "C:\Users\user\Desktop\Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 3260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: classification engine

Classification label: clean2.winRAR@4/1@0/0

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3260:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\0hfur4z5.wan" "C:\Users\user\Desktop\Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\0hfur4z5.wan" "C:\Users\user\Desktop\Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar"	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 1480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 31C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 1510000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 492			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 9476			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5704	Thread sleep count: 492 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5704	Thread sleep time: -246000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5704	Thread sleep count: 9476 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5704	Thread sleep time: -4738000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_012DB1D6 GetSystemInfo,

0_2_012DB1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\0hfur4z5.wan" "C:\Users\user\Desktop\Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar"

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	2 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430962
Start date and time:	2024-04-24 12:30:46 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar (renamed file extension from bz to rar)
Original Sample Name:	Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.bz
Detection:	CLEAN
Classification:	clean2.winRAR@4/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 47 Number of non-executed functions: 0
Cookbook Comments:	Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:32:09	API Interceptor	4027512x Sleep call for process: unarchiver.exe modified

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3357
Entropy (8bit):	4.998405477137094
Encrypted:	false
SSDEEP:	48:gyCvS93iCvd87SGbRGRGpjGnGRGpcCvdGRGRT7GSGiG/DL1i0wOll545RKDTVXD:gypypkkti0llazK9
MD5:	DB05782D53A0865F5BA04B1434C5C6AE
SHA1:	3BC9AC89D953F630D29C5D79174146E360EF5D29
SHA-256:	E7703180EA784717B795FB14E558AF15ACDB71938A6D1A6815D05FBF28A81814
SHA-512:	EE84533560DB156E2AEA1548D4FB5829F42BF985949FA83A56C87EF65BCE2ABB2557CA057AF4B62CA15F7D34015D3CACC1BE2C383F842D7BA3B798547E86581A
Malicious:	false
Reputation:	low
Preview:	04/24/2024 12:31 PM: Unpack: C:\Users\user\Desktop\Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar..04/24/2024 12:31 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\0hfur4z5.wan..04/24/2024 12:31 PM: Received from standard error: ERROR: C:\Users\user\Desktop\Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar..04/24/2024 12:31 PM: Received from standard error: Can not open encrypted archive. Wrong password?..04/24/2024 12:31 PM: Received from standard error: ..04/24/2024 12:31 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..04/24/2024 12:31 PM: Received from standard out: ..04/24/2024 12:31 PM: Received from standard out: Scanning the drive for archives:..04/24/2024 12:31 PM: Received from standard out: 1 file, 696724 bytes (681 KiB)..04/24/2024 12:31 PM: Received from standard out: ..04/24/2024 12:31 PM: Received from standard out: Extracting archive: C:\

Static File Info

General

File type:	RAR archive data, flags: EncryptedBlockHeader
Entropy (8bit):	7.999715366476268
TrID:	RAR Archive (5005/1) 83.31% REALbasic Project (1003/3) 16.69%
File name:	Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar
File size:	696'724 bytes
MD5:	89e823923831b6d44bd82f0bcbe83365
SHA1:	6de8f1e77b8fcd88088fa0ea829d971d67e729d4
SHA256:	d7ea3d3adf5514487b2636533ca0fd0e858abd5ff3b4256d9cc7f30b779a22e3
SHA512:	de55b2047873e9574e5f0a1efee4bc33f0be73450941914b16d1c2030bea0e7d311b831c106d39c5a4711139c2644c760dd637ad1849ea35f8251d7391e00032
SSDEEP:	12288:IGTMAlW5ns2egrzLf/qaBZlJ+PWEhudp1YJJ4c8OlQszYFibOZZZdc7RN:IGoAlOPei/XB5+ubTccDszSZZbcP
TLSH:	19E423A7025CA1CBD5F1BABAE1D915CDF1B287A62A674EE23CE854C561C9F30331B10D
File Content Preview:	Rar!.....s..........>..G/......j.c....X.J.0G... l.....ZvW$.M.HI.%.d.9....sGAZ....}.!l...E..(....A..&.w{.*3h..[.n.vK{.T4..{;h.t..yd.=..fD..X...^kE.<.~L.r.......TZ..-..Ev...f..I..Z.....-....1..#.e......Gjc.F....{.<f.....Z.....A..5...0..a.Lejz&.v+p.'T.^X.E

File Icon


Icon Hash:	90cececece8e8eb0

Target ID:	0
Start time:	12:31:34
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar"
Imagebase:	0xae0000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	12:31:34
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\0hfur4z5.wan" "C:\Users\user\Desktop\Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar"
Imagebase:	0x840000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:31:34
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	20.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	73
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 012DB1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 012DB208

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: cda861a024d3f17b8f5458b4ad16493df6bd4a7417793fb6e2ce43d9264847cb
Instruction ID: 8602c4d227cb915f6dab79aeb9df85bd5534092755e8d140278a15b28e00aba1
Opcode Fuzzy Hash: cda861a024d3f17b8f5458b4ad16493df6bd4a7417793fb6e2ce43d9264847cb
Instruction Fuzzy Hash: C501D6718102409FDB10CF19D88976AFFE4EF05624F08C4AADE488F756D379A544CB61

Uniqueness

Uniqueness Score: -1.00%

Function 012DB246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 012DB2F3

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7b32883e7daa8728bce5d6a6f476fbb27c95880c0691320ed3b87c7943bccbab
Instruction ID: 0bb61f82bd9fbacca17be7ee7b5ace0bdce901c06cba4dbe022126039bc7ee86
Opcode Fuzzy Hash: 7b32883e7daa8728bce5d6a6f476fbb27c95880c0691320ed3b87c7943bccbab
Instruction Fuzzy Hash: 2B31C671404344AFE7228F65CC45FA7BFFCEF06224F04889AEA85CB562D324A909DB71

Uniqueness

Uniqueness Score: -1.00%

Function 012DAD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 012DADA7

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c37d1919c63961b4e6b9d60fd4ca118c35b6c5c1b1e493e037b611898fc71683
Instruction ID: 2fa731cd1762397585fa6fffe25e15fbf0868ce1002cbe42036447c66e64bb50
Opcode Fuzzy Hash: c37d1919c63961b4e6b9d60fd4ca118c35b6c5c1b1e493e037b611898fc71683
Instruction Fuzzy Hash: AF3195714043846FE7228B65DC44FA7BFECEF05224F04889AF985DB562D325A519CB71

Uniqueness

Uniqueness Score: -1.00%

Function 012DAB76 Relevance: 1.6, APIs: 1, Instructions: 94
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 012DAC36

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 701b6d22c3dfcca22e542efa6332d80f5ddb1e28990825632d94363c7cbc060a
Instruction ID: 18985f2ec5bd49ff348fd8cc457f6c919c56745953f08fa7f137682f882e3ea6
Opcode Fuzzy Hash: 701b6d22c3dfcca22e542efa6332d80f5ddb1e28990825632d94363c7cbc060a
Instruction Fuzzy Hash: F3318D7240E7C06FD3038B618C65A56BFB4AF47210F1A84CBD8C4CF5A3D2296909C762

Uniqueness

Uniqueness Score: -1.00%

Function 012DA5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 012DA67D

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 92bbd455c6cf4843d403de503da6847c8772b8efdb7030d98a2ef61e8abc1a33
Instruction ID: a097016bab4e4a70b0a2095f1d94e19bf0a152cdef596f62190893a55936a0c3
Opcode Fuzzy Hash: 92bbd455c6cf4843d403de503da6847c8772b8efdb7030d98a2ef61e8abc1a33
Instruction Fuzzy Hash: B4319171505380AFE722CF65CC44F66BFE8EF45224F08889EEA858B652D375E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 012DA120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 012DA1C2

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 4c11e75fb201c7fd322035a76170d4d404e3129666aae7cdb43149a5657372f3
Instruction ID: e1a9aa3e1e78e443ff654593eb78f220ab99dd8173ab922ee0bef747c339b388
Opcode Fuzzy Hash: 4c11e75fb201c7fd322035a76170d4d404e3129666aae7cdb43149a5657372f3
Instruction Fuzzy Hash: 3321B07150D3C06FD3028B258C61BA6BFB4EF47610F1984CBD984DF693D225A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 012DAD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 012DADA7

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 10a9baa554812842b147e9fbb1eedacbc636d860fa88b15a4c012e8ed786df59
Instruction ID: 470f0889ee606efeff221ff672553545c6d0e64a248316be285080b9e2299b70
Opcode Fuzzy Hash: 10a9baa554812842b147e9fbb1eedacbc636d860fa88b15a4c012e8ed786df59
Instruction Fuzzy Hash: BD21F172400204AFEB218F55CC45FABFBECEF04224F04886AEA458BA51E734E448CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 012DB276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 012DB2F3

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 89e4cf913e1a98ee9df6d5d77dd80b86009da53418b39f42b93ecd3f3bedd77d
Instruction ID: 87195451707a8dd8f8f2b109a2820d7cb2e3f7416510b995f373a7b76a8db0c5
Opcode Fuzzy Hash: 89e4cf913e1a98ee9df6d5d77dd80b86009da53418b39f42b93ecd3f3bedd77d
Instruction Fuzzy Hash: A221B272500204AFEB218F55CC45FABBBECEF05224F04886AEA458BA51D774E5488B61

Uniqueness

Uniqueness Score: -1.00%

Function 012DA370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,D8A6D557,00000000,00000000,00000000,00000000), ref: 012DA40C

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4feab1303a80301e0e465dda6efc964b1a9b7f97d1c34560a601dd1348d4fbea
Instruction ID: 6d8a3e34123b5e30f4de5bac1e611cb15c0f1f8872f9ad10aea4a9ffde876f3a
Opcode Fuzzy Hash: 4feab1303a80301e0e465dda6efc964b1a9b7f97d1c34560a601dd1348d4fbea
Instruction Fuzzy Hash: 87219F71504740AFE722CF15CC84FA7BBFCEF05610F08849AEA85CB652D364E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 012DA850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,D8A6D557,00000000,00000000,00000000,00000000), ref: 012DA8DE

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9786a93349b3c27944b8619eb621f19a3a2112ef8cbfa6a241512059f80bc213
Instruction ID: 5253dca6ffa82725e4ea37e01e7f9ff46b0a51638277c31d57d5ddb4edbe0c45
Opcode Fuzzy Hash: 9786a93349b3c27944b8619eb621f19a3a2112ef8cbfa6a241512059f80bc213
Instruction Fuzzy Hash: 8B21C1714093806FE7228B14DC44FA6BFB8EF46724F0988DAEA848F653D225A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 012DA933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,D8A6D557,00000000,00000000,00000000,00000000), ref: 012DA9C1

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: dd68b503bd1076bbfb7040f3986b9ad8f380724a5b0cbb25c2e363f1bece97e8
Instruction ID: 8506cbb853e91a8644c3c407cb690250a4c2c49deaf8bf9c30e3b48b00b11c03
Opcode Fuzzy Hash: dd68b503bd1076bbfb7040f3986b9ad8f380724a5b0cbb25c2e363f1bece97e8
Instruction Fuzzy Hash: 6621B271409380AFDB22CF55CC45F97BFB8EF06214F0884DAEA849F252D365A509CB72

Uniqueness

Uniqueness Score: -1.00%

Function 012DA5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 012DA67D

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2d661da700fd397675adc1c0d9cff14c86f916f9a38d04811414411d14b65a24
Instruction ID: a063d10d7a36d6c1c9ad38f52519281e59afb0077614d8fb26a527eed87ded6a
Opcode Fuzzy Hash: 2d661da700fd397675adc1c0d9cff14c86f916f9a38d04811414411d14b65a24
Instruction Fuzzy Hash: 43219071500240EFEB21DF69CD45FA6FBE8EF48224F088869EA458B651E375E509CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012DA78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,D8A6D557,00000000,00000000,00000000,00000000), ref: 012DA815

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: bedc59a4c6a37dc680aff58180bc9304756b37e5334001b3da93d7a9ce22d711
Instruction ID: 9dbbcf86a99acc4c5e625924b3b32054a591effc50f2bfc991348b2bcd3abc58
Opcode Fuzzy Hash: bedc59a4c6a37dc680aff58180bc9304756b37e5334001b3da93d7a9ce22d711
Instruction Fuzzy Hash: B121D5B54097806FE7128B15DC45BA6BFB8EF47724F0880DBEE848B693D264A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 012DAA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 012DAA8B

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 8189ef0337f3afe1321e8786e6a83aafaecbc0640612a509f9cd5c0f780ab8a4
Instruction ID: 27da7dc720a1602f53c09e404209fbb324d23c0223f7c78d02b23f3cd859f040
Opcode Fuzzy Hash: 8189ef0337f3afe1321e8786e6a83aafaecbc0640612a509f9cd5c0f780ab8a4
Instruction Fuzzy Hash: B821AF755093C05FEB12CB29DC55B92BFE8AF06214F0D85EAE984CF153D225D909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 012DA392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,D8A6D557,00000000,00000000,00000000,00000000), ref: 012DA40C

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bd7c536af365bec15636cf6532cf7639fbe1074eb76cf812fcf7adf1dc0f7282
Instruction ID: e454c75d2e5ed668c2158db85658f857ec45735cbbcf0d6fd815da55c3e713a6
Opcode Fuzzy Hash: bd7c536af365bec15636cf6532cf7639fbe1074eb76cf812fcf7adf1dc0f7282
Instruction Fuzzy Hash: 002190756006049FE721CF19CC85FA7FBECEF04624F04C45AEA458B651E7A4E949CA71

Uniqueness

Uniqueness Score: -1.00%

Function 012DA6D4 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 012DA748

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 18a318a9ef24b323f0e61fddab90e1263071c5dc7f9ef3d69e462c154dd97623
Instruction ID: a33a5943052dca373170d37d1cabe8190b88288b1e55ffddac18b940c823323f
Opcode Fuzzy Hash: 18a318a9ef24b323f0e61fddab90e1263071c5dc7f9ef3d69e462c154dd97623
Instruction Fuzzy Hash: 1921D1B58097C09FD7128B29DC95B92BFB4EF02320F0984DBDD858B5A3D2249908C762

Uniqueness

Uniqueness Score: -1.00%

Function 012DA962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,D8A6D557,00000000,00000000,00000000,00000000), ref: 012DA9C1

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 5fe821e90937c5d6eed50862bdb076fcf5d0338ef1b60b0753d936c8f6291308
Instruction ID: 0ba5777389009d87a644120764f9998774d4822367c494bd1ff2f6e71c71fe2a
Opcode Fuzzy Hash: 5fe821e90937c5d6eed50862bdb076fcf5d0338ef1b60b0753d936c8f6291308
Instruction Fuzzy Hash: 1011BF72400200AFEB21CF55DC85FABFBE8EF04728F04845AEA459B651D375A549CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 012DA882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,D8A6D557,00000000,00000000,00000000,00000000), ref: 012DA8DE

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 104deecce5b134239f0d4d6b2cb04b91fd616c191bdb0cee84c0565347957d30
Instruction ID: 1c2e03f8aee4c4a14ce4814f1165290dca084811aca4b0aec90270f37e85d0e7
Opcode Fuzzy Hash: 104deecce5b134239f0d4d6b2cb04b91fd616c191bdb0cee84c0565347957d30
Instruction Fuzzy Hash: 8811BF71400200AFEB218F54DC45FAAFBE8EF44724F04C85AEE459B641D375A5498BB1

Uniqueness

Uniqueness Score: -1.00%

Function 012DA2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 012DA30C

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 26fe5e4bfaeb8673cef2645ed1877b57695358a2ece60530172385ec37932ce2
Instruction ID: 42538357e24644d0172645dbb376f786f34c5b9c91cfeb0b955f5bd2dbb301e2
Opcode Fuzzy Hash: 26fe5e4bfaeb8673cef2645ed1877b57695358a2ece60530172385ec37932ce2
Instruction Fuzzy Hash: 4A11A07580A3C09FDB238B25DC54A52BFB4EF47224F0984DBDD848F263D265A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 012DB1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 012DB208

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: f750a40f5da7048d9c12601ee5d4931a7bf22d20a16b7f3d393af2ffcf9a9cae
Instruction ID: c25ced97bebe198f8ce30da4b914438f242beac0ce3a9ab53cea83fffd71c68a
Opcode Fuzzy Hash: f750a40f5da7048d9c12601ee5d4931a7bf22d20a16b7f3d393af2ffcf9a9cae
Instruction Fuzzy Hash: A41170718093C09FDB128F15DC99B56BFB4EF46224F0984DAED849F253D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012DAF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 012DAFE4

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: c87ea3fca8c000c298983f5047ff59588f7802fd489817e06b82f8a96fa5eb1c
Instruction ID: 3c7492d08e3106ac48f1993b591936f016463bfa916673d7a06909410d88fcbe
Opcode Fuzzy Hash: c87ea3fca8c000c298983f5047ff59588f7802fd489817e06b82f8a96fa5eb1c
Instruction Fuzzy Hash: C611AC715093C09FDB128B29DC95B52BFF4EF06220F0984DAED858B663D265A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012DAA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 012DAA8B

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: a73441ea67710720416ce65a6df1afeed8a47ff6572394fd57c74967bb0bb52d
Instruction ID: 0c4a527ab59bfa59237b90050a9591b37e266e431a711a47cae49e949c11dc51
Opcode Fuzzy Hash: a73441ea67710720416ce65a6df1afeed8a47ff6572394fd57c74967bb0bb52d
Instruction Fuzzy Hash: A611A1716102419FEB10CF29D985B57FBE8EF04224F08C5AADE09CB642E375E544CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012DA7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,D8A6D557,00000000,00000000,00000000,00000000), ref: 012DA815

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 3951c8e3ce40790d28a4768a34ba9f5d40178b7fb7f0a4deeef4996605e7a373
Instruction ID: 1e6e7413b1d92bf57b624dbc5894f3a221ae4d3cf9202001f943a80fada8c8c0
Opcode Fuzzy Hash: 3951c8e3ce40790d28a4768a34ba9f5d40178b7fb7f0a4deeef4996605e7a373
Instruction Fuzzy Hash: 8201D671504200AEE721CB05DC46FABFBE8DF44724F04C096EE058B741E3B8E949CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 012DABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 012DAC36

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 9f1b3cef96a912bb3dac7a0e5ea815c3f0c4098d2c17eb4e7ca868729fef51ac
Instruction ID: 847bf6b486feca2a6271bfceae57e1807a208f260275819612a0d3e9f916721e
Opcode Fuzzy Hash: 9f1b3cef96a912bb3dac7a0e5ea815c3f0c4098d2c17eb4e7ca868729fef51ac
Instruction Fuzzy Hash: 8D017171900600AFD350DF16DC46B66FBE8FF88A20F14855AED489BB41E731B916CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 012DA172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 012DA1C2

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: c2294490a52e8106227f5845690b768770ea849e5e9087c4efb5ad1706bbe1a1
Instruction ID: 5a0225e2e7215761faaeb4e6fc42a1526ee63ad6c91f639e93c69775ab244da5
Opcode Fuzzy Hash: c2294490a52e8106227f5845690b768770ea849e5e9087c4efb5ad1706bbe1a1
Instruction Fuzzy Hash: 7F01B171900600AFD350DF16CC46B66FBE8FF88A20F14855AED089BB41E731B916CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 012DA716 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 012DA748

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 187444733a3bffeb4e3441ee18e049b5dff35533f01f4f192232e797b7362540
Instruction ID: f5e8ea949e0dc2cedfffbbbe630e12d42175c1cca613dc4bb9c3abf290ab16ae
Opcode Fuzzy Hash: 187444733a3bffeb4e3441ee18e049b5dff35533f01f4f192232e797b7362540
Instruction Fuzzy Hash: 1C01F7719002408FEB10CF19D885BAAFBE4DF00224F08C4AADD468F752D279E544CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012DAFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 012DAFE4

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 16b68b87bb4e71878e7e14cae0edd40302716114bc809044eb79b6ff0756ff22
Instruction ID: 2ab0319c00f77e488a0567fa07dd46f48fa6a8bf78446a46d659863f19f9b603
Opcode Fuzzy Hash: 16b68b87bb4e71878e7e14cae0edd40302716114bc809044eb79b6ff0756ff22
Instruction Fuzzy Hash: BC01F9755102408FDB118F19D885766FFE4EF05224F08C0EADD458B792D379E448CE61

Uniqueness

Uniqueness Score: -1.00%

Function 012DA2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 012DA30C

Memory Dump Source

Source File: 00000000.00000002.4551053805.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 47d9d0d749cfab7be484161d44bf6a211e436bf0a7f5b95de2457cb61840b163
Instruction ID: 88e933cb8379fe367a46a72863f9ee5015563f58d9b2d5b39f36c47da0e3328e
Opcode Fuzzy Hash: 47d9d0d749cfab7be484161d44bf6a211e436bf0a7f5b95de2457cb61840b163
Instruction Fuzzy Hash: B9F0AF35815240CFDB608F09D886B66FFE0EF44624F08C09ADE494B756D7B9A558CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 014F0799 Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

\O5l, xrefs: 014F0966

Memory Dump Source

Source File: 00000000.00000002.4551284103.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_unarchiver.jbxd

Similarity

API ID:
String ID: \O5l
API String ID: 0-1030507070
Opcode ID: fed6c19c33d13749a9ef93f84440285741c8d1484c6dce4e0150b86ebb1c70b8
Instruction ID: 91f5423f50e2b90d154e657bb98c5f03db59367d5f1ff676c530842263b87194
Opcode Fuzzy Hash: fed6c19c33d13749a9ef93f84440285741c8d1484c6dce4e0150b86ebb1c70b8
Instruction Fuzzy Hash: 9CA14C34B012048FDB19ABB5D8547BE7BE3EBC8308F148069EA069B795DF788C46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 014F0C99 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

KM , xrefs: 014F0D6E, 014F0D73

Memory Dump Source

Source File: 00000000.00000002.4551284103.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_unarchiver.jbxd

Similarity

API ID:
String ID: KM
API String ID: 0-690582231
Opcode ID: 31ead5c180e9362fa8f1aa4a2f4533844b5d4a9963fa7d0ef4710dcb3e7050e0
Instruction ID: 19491264c185584f347fa9bcabe3f206a5f25da31b1607f8a8c91fc74329619f
Opcode Fuzzy Hash: 31ead5c180e9362fa8f1aa4a2f4533844b5d4a9963fa7d0ef4710dcb3e7050e0
Instruction Fuzzy Hash: FF213631B006148FCB15DB7AC8013AE7FD3AFD5248B48842CE445DB790DF3AAE028791

Uniqueness

Uniqueness Score: -1.00%

Function 014F0CA8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

KM , xrefs: 014F0D6E, 014F0D73

Memory Dump Source

Source File: 00000000.00000002.4551284103.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_unarchiver.jbxd

Similarity

API ID:
String ID: KM
API String ID: 0-690582231
Opcode ID: c1685259fb483d61cd1fc00e93e16ddad06a15a1620abe46c29cc3a0f4735b26
Instruction ID: 4ec2edae5000c933ce222b1ef1e518313489083f5ed753805bcecab112cbd47c
Opcode Fuzzy Hash: c1685259fb483d61cd1fc00e93e16ddad06a15a1620abe46c29cc3a0f4735b26
Instruction Fuzzy Hash: 0B213331B006248BCB15EB7AC8113AFBBD7AFD5208B48842CD446DB780DF79AD078791

Uniqueness

Uniqueness Score: -1.00%

Function 014F02C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4551284103.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973ac4a3fafff79bc537db14f1112810bf812712df88e9e76deda337cbe1a2d9
Instruction ID: 2d43ede751b6a64e7a8e76c386cf1df17b680f79917ae64af4609c8eb26ce1d3
Opcode Fuzzy Hash: 973ac4a3fafff79bc537db14f1112810bf812712df88e9e76deda337cbe1a2d9
Instruction Fuzzy Hash: A5B17C34B00210CFC718DB6AEC59A5E7FF2FF88241B5081AAEA069B755CB749C91CF91

Uniqueness

Uniqueness Score: -1.00%

Function 014F0B8F Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4551284103.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0671b7b7d7474fd98d8dc00472f7afc037a3e70162fc46de02805b6925bbb122
Instruction ID: e2be3ec9388180497fe2a784fe9126f22f962cb21521b44b30f3b86b68383adb
Opcode Fuzzy Hash: 0671b7b7d7474fd98d8dc00472f7afc037a3e70162fc46de02805b6925bbb122
Instruction Fuzzy Hash: FA119336E1021CAFCB54DBB4D8449DF7BF2EF88214B054579E906D7764DB319C5A8B80

Uniqueness

Uniqueness Score: -1.00%

Function 01500883 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4551299634.0000000001500000.00000040.00000020.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1500000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5635dc875c9ad23e741aae3802b56c9cd40c7ccf291804ed2dcdcdb285d022
Instruction ID: 54d22a6f09ff077145a062c1328be6aa15c58a3f70981a1c8b249559960e10e0
Opcode Fuzzy Hash: 4a5635dc875c9ad23e741aae3802b56c9cd40c7ccf291804ed2dcdcdb285d022
Instruction Fuzzy Hash: DE11E56280E3C05EE70397645C1569ABFB4AF43224B1D81EBD884CF693D256490EC7F3

Uniqueness

Uniqueness Score: -1.00%

Function 014F0BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4551284103.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97067b8f8338fb616702a9ce47ff9726eaa227cd335b6297b1fe1730ebb55663
Instruction ID: 6f6a5928b581b1071e6cd9b374195fdeedcd145d12ac698da25a90473a2419b8
Opcode Fuzzy Hash: 97067b8f8338fb616702a9ce47ff9726eaa227cd335b6297b1fe1730ebb55663
Instruction Fuzzy Hash: 36118F32A1011CAF8B54DBB5D8449DFBBF6EF88214B054475EA06E7764DB31AC0A8B80

Uniqueness

Uniqueness Score: -1.00%

Function 01500807 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4551299634.0000000001500000.00000040.00000020.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1500000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a0abaea26ac1f79af0d740293b9520597a2be9ca7a50f0e1a8ea22a8e4cc5fc
Instruction ID: a9d576037ccdbcf7f79a913bc7fa63f5712998196abda28196e357bf845da51a
Opcode Fuzzy Hash: 7a0abaea26ac1f79af0d740293b9520597a2be9ca7a50f0e1a8ea22a8e4cc5fc
Instruction Fuzzy Hash: 6A01D8B64096406FD301CF15EC41C57BFF8DF86524F04C4AAED488B612E225A9098BF2

Uniqueness

Uniqueness Score: -1.00%

Function 015005DF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4551299634.0000000001500000.00000040.00000020.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1500000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c2cf926bb00bd50dd70c4d2a8037100560d918569152d8f1b59592c2fb9da87
Instruction ID: c94967ac937b5bf38d18d65f0c7559dc9a86194547cfa9caa435297acc42bcdc
Opcode Fuzzy Hash: 9c2cf926bb00bd50dd70c4d2a8037100560d918569152d8f1b59592c2fb9da87
Instruction Fuzzy Hash: FB01F9B64097806FC7128F15AC41863FFF8DF86230709C59FEC498B652D225A908CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0150082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4551299634.0000000001500000.00000040.00000020.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1500000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8861ccb6d8eb3cddf02baba962330e87cbb9dc55b3a85746840b70757ab2f907
Instruction ID: 74f765dd6228bbb2b945637c0d891db8ecc3d0bed02c8b886988eaca63410e45
Opcode Fuzzy Hash: 8861ccb6d8eb3cddf02baba962330e87cbb9dc55b3a85746840b70757ab2f907
Instruction Fuzzy Hash: 37F082B6905604AF9340DF05ED4586AF7ECEF84521F04C56AED488B700E276AA198BF2

Uniqueness

Uniqueness Score: -1.00%

Function 01500606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4551299634.0000000001500000.00000040.00000020.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1500000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4b6197ed72f040655c2291624e1ea3ef918f04cc340205d55a30d56ed871b7
Instruction ID: 76ac2e76fc6174e2950bd1072e3f94425dbb651fcc0c33ebee4d1c2630f056a5
Opcode Fuzzy Hash: 3b4b6197ed72f040655c2291624e1ea3ef918f04cc340205d55a30d56ed871b7
Instruction Fuzzy Hash: 24E092B6A006004F9650CF0AEC41466F7E8EB88630B08C47FDD0D8BB11E636B508CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 014F0C50 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4551284103.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d87c3322814be2537b69cd934f1969d0d3b3ce39dda5b6f00129babce2ed7b9
Instruction ID: e901159c1611f84ff45914b54753c1d791b427038bc30c32bf3cf1b28cc99af8
Opcode Fuzzy Hash: 5d87c3322814be2537b69cd934f1969d0d3b3ce39dda5b6f00129babce2ed7b9
Instruction Fuzzy Hash: B3E0DF31F153181FCB44DBB988405DE7FE6EB95164B4144BAC409D7780EF3598868380

Uniqueness

Uniqueness Score: -1.00%

Function 014F0C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4551284103.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040fefed1200c45ea64dff4a5014d418e744e78130436e7e9feb533d2b761dfd
Instruction ID: ef7e32cf0c03e2af62a715b9a4b639a96cf7d65e9a93041ba298b2476b6497ac
Opcode Fuzzy Hash: 040fefed1200c45ea64dff4a5014d418e744e78130436e7e9feb533d2b761dfd
Instruction Fuzzy Hash: 69D0C231F0021C1B8B04EAB958005DE7BEA9BC4064B4040798409D3740EE30A84583D0

Uniqueness

Uniqueness Score: -1.00%

Function 014F0E08 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4551284103.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1bb702d3e54dc75d41136e39436e83d990c546ae3c3338a5f5a79f0bb3cd42
Instruction ID: e25653080b4f2a84489c2494c631f13feb0801fed30fd229316a144d83b3922e
Opcode Fuzzy Hash: 3c1bb702d3e54dc75d41136e39436e83d990c546ae3c3338a5f5a79f0bb3cd42
Instruction Fuzzy Hash: B1D012312513058FC7468B64D8149D57FA19FD6224B85C1AB95088B772C679CD45C700

Uniqueness

Uniqueness Score: -1.00%

Function 014F0DD1 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4551284103.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1fa774d6962330af66f25aa01c253109e661c383eb07b74d4011d05079a9198
Instruction ID: e50ff5eee41af04808eb6c7bcb27ff4391fd0ef478143a0e2cbb9edd4f15b1a5
Opcode Fuzzy Hash: d1fa774d6962330af66f25aa01c253109e661c383eb07b74d4011d05079a9198
Instruction Fuzzy Hash: 87E012305443458FC7468B74D8149A57BA2AFD1214F4581AA99448B766C7789C84D740

Uniqueness

Uniqueness Score: -1.00%

Function 012D23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4551037809.00000000012D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12d2000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249fd588810bee150194934024c2dd38ae8fe76ee2091e6cbd772fda667ee6c7
Instruction ID: 8eb4fbb930cac1db71a8452ef16b2f2eaec5dd0fab1ee1ec16a99bba5eb81902
Opcode Fuzzy Hash: 249fd588810bee150194934024c2dd38ae8fe76ee2091e6cbd772fda667ee6c7
Instruction Fuzzy Hash: 26D02E792016D28FE3138A0CC2A4B853BE4AB40704F0A00F9AC008B763C728D580C200

Uniqueness

Uniqueness Score: -1.00%

Function 012D23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4551037809.00000000012D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12d2000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0f88e415eb66f4198237fc77f2caa1d7c21dcf49c77461df4c030bd090c1f0
Instruction ID: b5ef2b0bb357023ea2de818fa32944bbb981e3023a87a0b904119416212cf6cc
Opcode Fuzzy Hash: 1b0f88e415eb66f4198237fc77f2caa1d7c21dcf49c77461df4c030bd090c1f0
Instruction Fuzzy Hash: 29D05E342002828BD715DB0CC2D4F597BD4BB80715F0644E8BD108B762CBB4D8C0CA00

Uniqueness

Uniqueness Score: -1.00%

Function 014F0DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4551284103.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186fcdedc6f38ce73f9877c4bf22eba9ddd470be3c317d36d259296064d6ad49
Instruction ID: dfca121b03610c1a9d083ec600702f8e804e3bdc0db0bedd41511aacc883ba20
Opcode Fuzzy Hash: 186fcdedc6f38ce73f9877c4bf22eba9ddd470be3c317d36d259296064d6ad49
Instruction Fuzzy Hash: 67C012302003088BD7049BA9DC18A2677975BD0614F45C069AA080B766CB74EC80C680

Uniqueness

Uniqueness Score: -1.00%

Function 014F0E18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4551284103.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222d53b58d30aa2e0b87149488982d3aab1e2a883a795568cb8fe3b2512d0523
Instruction ID: f2afa61757ab0c2303dbad9024664cfa2c436f873e667bf14d37aec8f99bc26f
Opcode Fuzzy Hash: 222d53b58d30aa2e0b87149488982d3aab1e2a883a795568cb8fe3b2512d0523
Instruction Fuzzy Hash: 4BC012312003088BC7049BA9D918A2A7B965BD4604F85C0696A080B362CB74EC40C640

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: unarchiver.exePID: 5656, Parent PID: 4004

General

Chronological Activities

Analysis Process: 7za.exePID: 4368, Parent PID: 5656

General

Chronological Activities

Analysis Process: conhost.exePID: 3260, Parent PID: 4368

General

Chronological Activities

Disassembly

Analysis Process: unarchiver.exePID: 5656, Parent PID: 4004COMMON

Execution Graph

Graph

Callgraph

Executed Functions

Function 012DB1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Function 012DB246 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Windows Analysis Report
Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar

Function 012DB246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 012DAD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 012DAB76 Relevance: 1.6, APIs: 1, Instructions: 94
pipeCOMMON

Function 012DA5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Function 012DA120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Function 012DAD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 012DB276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 012DA370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Function 012DA850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Function 012DA933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Function 012DA5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 012DA78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Function 012DAA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 012DA392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Function 012DA6D4 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON