Edit tour

Windows Analysis Report
Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar

Overview

General Information

Sample name:	Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar (renamed file extension from bz to rar)
Original sample name:	Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.bz
Analysis ID:	1431003
MD5:	89e823923831b6d44bd82f0bcbe83365
SHA1:	6de8f1e77b8fcd88088fa0ea829d971d67e729d4
SHA256:	d7ea3d3adf5514487b2636533ca0fd0e858abd5ff3b4256d9cc7f30b779a22e3
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

System is w10x64

unarchiver.exe (PID: 6128 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 3376 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\ggxzk2fq.upc" "C:\Users\user\Desktop\Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 4416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: classification engine

Classification label: clean2.winRAR@4/1@0/0

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4416:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\ggxzk2fq.upc" "C:\Users\user\Desktop\Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\ggxzk2fq.upc" "C:\Users\user\Desktop\Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar"	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_00982CC1 push edi; retf 006Bh

0_2_00982CC2

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 2880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: B60000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 498			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 9469			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 2576	Thread sleep count: 498 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 2576	Thread sleep time: -249000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 2576	Thread sleep count: 9469 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 2576	Thread sleep time: -4734500s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_0098B1D6 GetSystemInfo,

0_2_0098B1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\ggxzk2fq.upc" "C:\Users\user\Desktop\Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar"

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	2 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431003
Start date and time:	2024-04-24 12:56:38 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar (renamed file extension from bz to rar)
Original Sample Name:	Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.bz
Detection:	CLEAN
Classification:	clean2.winRAR@4/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 48 Number of non-executed functions: 0
Cookbook Comments:	Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:58:04	API Interceptor	4160780x Sleep call for process: unarchiver.exe modified

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3345
Entropy (8bit):	5.03041711560198
Encrypted:	false
SSDEEP:	48:AlcCvuXVcCvx8PyGblGlGpXGrGlGp3cCvxGlGRTPGyGCGPHL1MpF6J6E85XNMCH1:AlcxcYcIIJMbNrl
MD5:	B9B24D3E54E297CC66FA6A887DAC8533
SHA1:	A19D32D19C2801DC19EE2227FE0B85936645E4E8
SHA-256:	0D8B48EF1A180A5B737B55FB85CAC061C44EC25AC1ADA9308731CF89B4970D79
SHA-512:	2A4CE7AB431D9F8FA6378267D2389B14A5C5A0EE5A7F020CD0A41AD86E12C2385216CAA3D5EC2BAFEFB1F3A1DFF33031828F59FD2E4182076C4FDCC609292807
Malicious:	false
Reputation:	low
Preview:	04/24/2024 12:57 PM: Unpack: C:\Users\user\Desktop\Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar..04/24/2024 12:57 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\ggxzk2fq.upc..04/24/2024 12:57 PM: Received from standard error: ERROR: C:\Users\user\Desktop\Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar..04/24/2024 12:57 PM: Received from standard error: Can not open encrypted archive. Wrong password?..04/24/2024 12:57 PM: Received from standard error: ..04/24/2024 12:57 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..04/24/2024 12:57 PM: Received from standard out: ..04/24/2024 12:57 PM: Received from standard out: Scanning the drive for archives:..04/24/2024 12:57 PM: Received from standard out: 1 file, 696724 bytes (681 KiB)..04/24/2024 12:57 PM: Received from standard out: ..04/24/2024 12:57 PM: Received from standard out: Extracting archive: C:\Users\

Static File Info

General

File type:	RAR archive data, flags: EncryptedBlockHeader
Entropy (8bit):	7.999715366476268
TrID:	RAR Archive (5005/1) 83.31% REALbasic Project (1003/3) 16.69%
File name:	Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar
File size:	696'724 bytes
MD5:	89e823923831b6d44bd82f0bcbe83365
SHA1:	6de8f1e77b8fcd88088fa0ea829d971d67e729d4
SHA256:	d7ea3d3adf5514487b2636533ca0fd0e858abd5ff3b4256d9cc7f30b779a22e3
SHA512:	de55b2047873e9574e5f0a1efee4bc33f0be73450941914b16d1c2030bea0e7d311b831c106d39c5a4711139c2644c760dd637ad1849ea35f8251d7391e00032
SSDEEP:	12288:IGTMAlW5ns2egrzLf/qaBZlJ+PWEhudp1YJJ4c8OlQszYFibOZZZdc7RN:IGoAlOPei/XB5+ubTccDszSZZbcP
TLSH:	19E423A7025CA1CBD5F1BABAE1D915CDF1B287A62A674EE23CE854C561C9F30331B10D
File Content Preview:	Rar!.....s..........>..G/......j.c....X.J.0G... l.....ZvW$.M.HI.%.d.9....sGAZ....}.!l...E..(....A..&.w{.*3h..[.n.vK{.T4..{;h.t..yd.=..fD..X...^kE.<.~L.r.......TZ..-..Ev...f..I..Z.....-....1..#.e......Gjc.F....{.<f.....Z.....A..5...0..a.Lejz&.v+p.'T.^X.E

File Icon


Icon Hash:	90cececece8e8eb0

Target ID:	0
Start time:	12:57:29
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar"
Imagebase:	0x1b0000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	12:57:29
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\ggxzk2fq.upc" "C:\Users\user\Desktop\Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar"
Imagebase:	0xd50000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:57:29
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	19.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	76
Total number of Limit Nodes:	4

Executed Functions

Function 0098B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0098B208

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 3671be914c199f2ac04a562969a6b793a67a71f98fc0cbabec186f1ce39bf972
Instruction ID: cae243f44a0ea3aca95899ae956270d441b957fc925dc675acb4b00adf470f6d
Opcode Fuzzy Hash: 3671be914c199f2ac04a562969a6b793a67a71f98fc0cbabec186f1ce39bf972
Instruction Fuzzy Hash: 7001AD719042449FDB20DF15D984769FBE4EF55324F0CC8AADD098F352D379A418CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0098B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0098B2F3

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 378feb41e150b9aa2de9471de972723eb3cbaedbd1b930abd1dec153bfa5dde1
Instruction ID: 1890d1e7f788c173bc0c63ffefd6fa1c8581e830cc2791bb7f5f86e100e0d77b
Opcode Fuzzy Hash: 378feb41e150b9aa2de9471de972723eb3cbaedbd1b930abd1dec153bfa5dde1
Instruction Fuzzy Hash: 6F31C671504344AFEB228B65DC44FA7BFBCEF16314F08889AE985CB652D334A919CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0098AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0098ADA7

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e08c5c99a6225ab504aa83754c5a6034d40e7528c5a7b9c2e0d17b001e50d4f7
Instruction ID: b169ca3857f72a04b87ff00578f87e72ab80779c2a2d5d807a2e39a328e82533
Opcode Fuzzy Hash: e08c5c99a6225ab504aa83754c5a6034d40e7528c5a7b9c2e0d17b001e50d4f7
Instruction Fuzzy Hash: 3A31A472504344AFE7228B65DC44FA7BFACEF05214F04889AE985DB652D334A819CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0098AB76 Relevance: 1.6, APIs: 1, Instructions: 92
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0098AC36

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 50c96fdbf4363a3905268609b4106126dc6b23367f309ea6522c974096ca1c3c
Instruction ID: a392668a959f9c6721fa906e0015948f16dc87d90b805e0705fee37ec834122c
Opcode Fuzzy Hash: 50c96fdbf4363a3905268609b4106126dc6b23367f309ea6522c974096ca1c3c
Instruction Fuzzy Hash: A4318F7150E3C46FD3138B318C65A51BFB4AF47210F1A88DBD8C8DF6A3D269A819C762

Uniqueness

Uniqueness Score: -1.00%

Function 0098A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0098A67D

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2d8d70674332ba66652afbdaf5251a95df1723f314cf5b42f511d61f84bf6cf8
Instruction ID: b09c8791fabc03ebf56e2d3f0c88afb67280db79d55be961d52cd286856ae4b7
Opcode Fuzzy Hash: 2d8d70674332ba66652afbdaf5251a95df1723f314cf5b42f511d61f84bf6cf8
Instruction Fuzzy Hash: 00318DB1504344AFE721CF65DD44F62BBE8EF05324F0888AEE9858B652D375E819CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0098A120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0098A1C2

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 264d3f2060af01d3fa75d9623cfd15ab662419107423fb4b365f67e45e3f47bd
Instruction ID: a7296a400130dc66f0510c9519f12f8862bd4a6d7edd4258e21ce7b93bf3b2d3
Opcode Fuzzy Hash: 264d3f2060af01d3fa75d9623cfd15ab662419107423fb4b365f67e45e3f47bd
Instruction Fuzzy Hash: 0521E07150D3C06FD3128B258C51BA2BFB4EF87614F0985CBD884CF693D235A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0098A50F Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNELBASE(?,00000E24,?,?), ref: 0098A5B6

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: 10b7d8852a30b0e3ad65cc705a08ce2c1ae76156c0a0c23dbaa5e8e7d9008551
Instruction ID: e9a6848b8effc9259a4ae5f7d436685cd947332a08a9e61e726802e369ae910c
Opcode Fuzzy Hash: 10b7d8852a30b0e3ad65cc705a08ce2c1ae76156c0a0c23dbaa5e8e7d9008551
Instruction Fuzzy Hash: 1F21A67140D3806FD3138B25CC51B62BFB4EF87614F0A81DBE8849B693D6246919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0098AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0098ADA7

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 08bca12900ad6bfd2ec7d8e81f8e84bd91cdeb2725f5ff140c1e1197a82e1161
Instruction ID: d0a29d3c386c12ba13b8e674605d2312b14e091c69493d970ccfe91d7dbfdff3
Opcode Fuzzy Hash: 08bca12900ad6bfd2ec7d8e81f8e84bd91cdeb2725f5ff140c1e1197a82e1161
Instruction Fuzzy Hash: A021B072500308AFEB21DF65DD44FABFBACEF04324F04886AE945DBA51D774E4588BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0098A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,60DF1494,00000000,00000000,00000000,00000000), ref: 0098A40C

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 86485c336ddf9ca410c74c6e424927b850ef219195a7bdafecf9df1df7dd2a56
Instruction ID: f6a7e27c3b1b677a1f7c2c5f568a7b637abbb72ff86b407970d1ae6f3dc8320d
Opcode Fuzzy Hash: 86485c336ddf9ca410c74c6e424927b850ef219195a7bdafecf9df1df7dd2a56
Instruction Fuzzy Hash: 1E217C75504344AFE721CB15CC84FA2BBFCAF05710F08849AE9459B662D374E909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0098B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0098B2F3

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 837f3a51710495161d021aac639751878a34100e75af97a0e2ead638ca437776
Instruction ID: 9f4bb735a97b85050e972b2200941e676b8649ac735077fe69ff31a895549729
Opcode Fuzzy Hash: 837f3a51710495161d021aac639751878a34100e75af97a0e2ead638ca437776
Instruction Fuzzy Hash: 0F21ED72500304AFEB21DF65CC44FAABBACEF14324F08882AE9458B651D734E8188BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0098A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,60DF1494,00000000,00000000,00000000,00000000), ref: 0098A8DE

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 21397c1d31736e2fc6a6abaddbfbd78fefdabfe30e46989096dd5abb93442d14
Instruction ID: ba2436e87404a438ed8664e18d639fbdfb4b468d0805cbc21d07ea16985a40c3
Opcode Fuzzy Hash: 21397c1d31736e2fc6a6abaddbfbd78fefdabfe30e46989096dd5abb93442d14
Instruction Fuzzy Hash: F321C7715083806FE7228B54DC44FA2BFB8EF46714F0988DAE9849B652C275A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 0098A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,00000E24,60DF1494,00000000,00000000,00000000,00000000), ref: 0098A9C1

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ce33eabd326cb7e400dc2ae536dedfd410ae363e4fed3f9136f01a95fc5655c1
Instruction ID: 4b96eb3970dbcdca5d71f24599fa2cfa4fedb19ba05ce4dd6b8050aed2bd1ae0
Opcode Fuzzy Hash: ce33eabd326cb7e400dc2ae536dedfd410ae363e4fed3f9136f01a95fc5655c1
Instruction Fuzzy Hash: C821B571409380AFD722CF55CD44F96BFB8EF06314F08889AE9849F252C375A409CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0098A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0098A67D

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 06fda4e8e4425952f2034d5236dc5086781c61b9caf0335468992a91abae1a8b
Instruction ID: a6baaa18af0fdf050328aa2a98de800ccef81195794080f64731783429bf8292
Opcode Fuzzy Hash: 06fda4e8e4425952f2034d5236dc5086781c61b9caf0335468992a91abae1a8b
Instruction Fuzzy Hash: 62218E71600204AFE721DF66DD45F66FBE8EF08324F08886EE9458B751E775E818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0098A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,60DF1494,00000000,00000000,00000000,00000000), ref: 0098A815

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: aa179bee8d652764937ee826379fd3313aff01e91c984b86d11f6b9d4f52e4a7
Instruction ID: d60fc7af05f2b15fdb944278eec29dfbcca5337682728b4618fca2510301dba2
Opcode Fuzzy Hash: aa179bee8d652764937ee826379fd3313aff01e91c984b86d11f6b9d4f52e4a7
Instruction Fuzzy Hash: 5021C6B54093846FE7228B15DC40BA2BFB8DF47314F0884DBE9849B253D278A909C775

Uniqueness

Uniqueness Score: -1.00%

Function 0098AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0098AA8B

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: ed27859308d55fa7351e577cdf1dc265521a141b836d30e36ea23d3666fa7745
Instruction ID: 1904c6b56f18acd8990f27a0a1cfbe32fb0ef3ff5c034a5ad0d478f36bb05936
Opcode Fuzzy Hash: ed27859308d55fa7351e577cdf1dc265521a141b836d30e36ea23d3666fa7745
Instruction Fuzzy Hash: 6B21B0715083C45FEB12CB29DC55B92BFE8AF06314F0D84EAE884CB653D325D909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0098A6D4 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0098A748

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b64239a4d93063eede91bc3533b163dcad58982216def338e00746ef57ab75e5
Instruction ID: e69f7b6ae43cfb7bdf5841620b9f7d7d41e893da97526d41f0a41ec1689f00a1
Opcode Fuzzy Hash: b64239a4d93063eede91bc3533b163dcad58982216def338e00746ef57ab75e5
Instruction Fuzzy Hash: FB21FFB59093C09FDB128B25DC91652BFB8EF17324F0984DBDC858F2A3D2749909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0098A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,60DF1494,00000000,00000000,00000000,00000000), ref: 0098A40C

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4e69060a48cabebfb105aa9a4a8b4c4e08eab265f16af05953b9d2b551a26f99
Instruction ID: 2901fcfac4a4bf67d84ea675b9d4b9690a735c3218a6f73cd1977ac29908b060
Opcode Fuzzy Hash: 4e69060a48cabebfb105aa9a4a8b4c4e08eab265f16af05953b9d2b551a26f99
Instruction Fuzzy Hash: D0216D75600304AEEB20DE15CD84FA6B7ECEF04714F08886AE9459B751D774E909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0098A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,60DF1494,00000000,00000000,00000000,00000000), ref: 0098A9C1

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 4a88a7078e167a796c79268e17efca93c6a263e4591c8f2b12f24009b1f69ec6
Instruction ID: 9a2932f2886b5d7fd8b95e38825784909497aca1712a60ca50c4b9b11024494a
Opcode Fuzzy Hash: 4a88a7078e167a796c79268e17efca93c6a263e4591c8f2b12f24009b1f69ec6
Instruction Fuzzy Hash: 9211EF72500304AFEB21CF55CD40BA6FBA8EF04324F04886AE9459A741C379A408CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0098A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,60DF1494,00000000,00000000,00000000,00000000), ref: 0098A8DE

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 58262c7a639d07aec08f017c045c7d556bb06a40b2b0730f5e9c012bdb454c0c
Instruction ID: 6a5fe2938661936810c6195c7aa68aebcf2fad4bab6b15e6fa6018c1b05ac25a
Opcode Fuzzy Hash: 58262c7a639d07aec08f017c045c7d556bb06a40b2b0730f5e9c012bdb454c0c
Instruction Fuzzy Hash: 42110172500304AFEB20DF54CD40BA6FBA8EF44324F04C86AE9459B741D379A808CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0098A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0098A30C

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c8974739923bb49b0df3fc53da96a79cd24dd735e71c6e267cb84159935a58a2
Instruction ID: 2d73381448987899803012a2ad274b91e888c53c5266d993f93f4f4628fac3c9
Opcode Fuzzy Hash: c8974739923bb49b0df3fc53da96a79cd24dd735e71c6e267cb84159935a58a2
Instruction Fuzzy Hash: 2E119E754093C49FDB228B25DC54A52BFB4DF17224F0A84DBD9848F263D279A809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0098AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0098AFE4

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 96f8c03ba9d2119f59adc50aa4c7256cc73b0995273a24a5a65af2b6c06a4b4b
Instruction ID: 61b9c29ada8b0ee2ad9596ec62860d3b37d8ca70a33f8556dc479929945bad9b
Opcode Fuzzy Hash: 96f8c03ba9d2119f59adc50aa4c7256cc73b0995273a24a5a65af2b6c06a4b4b
Instruction Fuzzy Hash: AD119E755093849FD7128B25DC45A52BFF8EF06220F0D84DAE9858B263D279A818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0098B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0098B208

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 447c606afddc35f59a7e312eb775aecad1c3bcb709128875d52260ed4805e2c1
Instruction ID: 8acd005f3ac4ed439584e121813d116211e56ece0d30338fc68bdbbf305cd37b
Opcode Fuzzy Hash: 447c606afddc35f59a7e312eb775aecad1c3bcb709128875d52260ed4805e2c1
Instruction Fuzzy Hash: 0111A0715093849FCB12CF15DC44B56FFB4DF56224F0884DAED848F253D279A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0098A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,60DF1494,00000000,00000000,00000000,00000000), ref: 0098A815

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 8b5483b80801515672307340a19b9757e7500dde30d476c78b410b87529b0ec9
Instruction ID: 2834c550937d061671b40732dc39e01ae12c81bf6e7d39045957416aa83ca9e0
Opcode Fuzzy Hash: 8b5483b80801515672307340a19b9757e7500dde30d476c78b410b87529b0ec9
Instruction Fuzzy Hash: 7C012271500304AEE720DB05CD84BA6FBECDF44724F08C4AAED049B741D378A8098BB6

Uniqueness

Uniqueness Score: -1.00%

Function 0098AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0098AA8B

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 104c931305b634954547703ae74d5cf664f604582c5942e49a00aaa82a710a23
Instruction ID: d06af1d768074e95f0babf818647ee616696049c9096c57732b904c81d32c0c4
Opcode Fuzzy Hash: 104c931305b634954547703ae74d5cf664f604582c5942e49a00aaa82a710a23
Instruction Fuzzy Hash: CD1152716042449FEB14DF19D984B56BBD8EF04720F08C8AADD45CB741E779E904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0098A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0098A1C2

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 0c3cba80dbef6b553eb483ac802b732e298a8f576d139645090f94ac93c58134
Instruction ID: 1dedb53c37e87742f9d603f06ab78ca0a173c50edf7db440993cafb269b20f6d
Opcode Fuzzy Hash: 0c3cba80dbef6b553eb483ac802b732e298a8f576d139645090f94ac93c58134
Instruction Fuzzy Hash: 3A019E71600200AFD210DF16CD45B66FBA8EB88A20F14856AEC089B741D731F915CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0098ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0098AC36

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 0530521dbee48744db46103a93021ad944160009bccd9c3cf43410c11cdb7067
Instruction ID: b987285afb3fffc81dc87cdeea6b4533942bac0e3717d7e8f73a26e27064781d
Opcode Fuzzy Hash: 0530521dbee48744db46103a93021ad944160009bccd9c3cf43410c11cdb7067
Instruction Fuzzy Hash: A6019E71600200AFD210DF16CD45B66FBA8EB88B20F14852AEC089B741D731F915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0098A716 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0098A748

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 207573e8cf753ac971bcd3050b42a4ea2120a8bc7bc5317d4aba0eb3cffbd3a1
Instruction ID: 0d1b3aa039d40bff9f77e7dfd89fcde507362e27f1302c56fa42bdcefdc21e24
Opcode Fuzzy Hash: 207573e8cf753ac971bcd3050b42a4ea2120a8bc7bc5317d4aba0eb3cffbd3a1
Instruction Fuzzy Hash: 5901D475A002448FEB10DF15D984765FBE4DF00324F08C4ABDC098B752D379E818DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0098A566 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetTempPathW.KERNELBASE(?,00000E24,?,?), ref: 0098A5B6

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: 3a5bdbfadcc37728a26a58ba82c957c7f8507f739dbd411ffa5d9990b69c39b8
Instruction ID: eee1bfb5ac3114a21d6efed42d78ac3c6e026791afc24ab178ac78a0a835faa6
Opcode Fuzzy Hash: 3a5bdbfadcc37728a26a58ba82c957c7f8507f739dbd411ffa5d9990b69c39b8
Instruction Fuzzy Hash: FC01A271540600AFD214DF1ACD46B76FBE8FB88A20F148159EC089BB41D731F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0098AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0098AFE4

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 1bff72c96424cd46e4512dfe425fc857beb762d78930ac771a79ed21e8040a6a
Instruction ID: 8a3acccabc9f083bd5430cb62107e0e55a822285a7631e3c6eb35a9c44874c17
Opcode Fuzzy Hash: 1bff72c96424cd46e4512dfe425fc857beb762d78930ac771a79ed21e8040a6a
Instruction Fuzzy Hash: 2001D1756002449FEB20DF19D984762FBE4EF05324F08C4AADD098B752E779E858DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0098A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0098A30C

Memory Dump Source

Source File: 00000000.00000002.4507425937.000000000098A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 40574d8a08a4fa1d922566954ed81ccc1766c282fafc84dfc3259e94d4edc7ac
Instruction ID: c6a958e9c436ed98b767ef95136900c3e77a05f01fe9aab874e8647c0d083aa6
Opcode Fuzzy Hash: 40574d8a08a4fa1d922566954ed81ccc1766c282fafc84dfc3259e94d4edc7ac
Instruction Fuzzy Hash: 0EF0FF345042449FEB20DF06D984761FBE4EF04324F08C4ABDD084B356D3B9A818CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D80C99 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

[M-, xrefs: 00D80D43, 00D80D48

Memory Dump Source

Source File: 00000000.00000002.4507803326.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_unarchiver.jbxd

Similarity

API ID:
String ID: [M-
API String ID: 0-1270787354
Opcode ID: 22221f97d14ced451e07e77f75c2053f8d7c82cde46b425f8a36bf4bfecea63a
Instruction ID: b0c0e7eb4ca75b650250dadd9963dc9984f6638742fb5eba462f9f31f646ed01
Opcode Fuzzy Hash: 22221f97d14ced451e07e77f75c2053f8d7c82cde46b425f8a36bf4bfecea63a
Instruction Fuzzy Hash: EA213631B046109BDB15EB7984517AE7BD65FCA308F54883CD485CB785CF3AED068B92

Uniqueness

Uniqueness Score: -1.00%

Function 00D80CA8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

[M-, xrefs: 00D80D43, 00D80D48

Memory Dump Source

Source File: 00000000.00000002.4507803326.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_unarchiver.jbxd

Similarity

API ID:
String ID: [M-
API String ID: 0-1270787354
Opcode ID: 469d226e2a162932f6415c9ce950da15007923750e9d0883e358261ff4b05652
Instruction ID: d0f25fa0c32a63ffea6b247494f848c0749be38c3d23a79a089fcbee2a9b46be
Opcode Fuzzy Hash: 469d226e2a162932f6415c9ce950da15007923750e9d0883e358261ff4b05652
Instruction Fuzzy Hash: C2210231B006148BDB25EB39C5416AEBBD69FC5308B54883CD486DB784DF7AED0687A2

Uniqueness

Uniqueness Score: -1.00%

Function 00D802C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507803326.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec8a5c23313f35a64eb78337bd093a06a7031ea8ee72bee77e7c431f82d52f3
Instruction ID: aa54dd2439374598f1213b5b65d84794cabebfd49b3af2b5ccc5ff94f6d7d389
Opcode Fuzzy Hash: 2ec8a5c23313f35a64eb78337bd093a06a7031ea8ee72bee77e7c431f82d52f3
Instruction Fuzzy Hash: 38B16E39700500CFCB14FF79EA55A5A7BB2FF89350B2084A8E9069B398DB349D05CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D80799 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507803326.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27dc5405696a45b4f8a5169bc562311e10e2cb7f701e52fb3cee14a4bd5ed23d
Instruction ID: 99262dd35f51ad8cad169631c7bcf7296a9fc55ff1486e659c2c690d005f9455
Opcode Fuzzy Hash: 27dc5405696a45b4f8a5169bc562311e10e2cb7f701e52fb3cee14a4bd5ed23d
Instruction Fuzzy Hash: 2EA1CF34B002048BDB18EB78C95577EBBF7AB84308F248469D906973D4DB78ED06CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00D80B8F Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507803326.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 331419a33ead4e003ad2f2faad6841209fe3088c6d5259cd9ddbbf223f58d480
Instruction ID: cff6c8a4ac07b5e61826cfb78c7e2d84af1421e20b61963ee0681170ace55f08
Opcode Fuzzy Hash: 331419a33ead4e003ad2f2faad6841209fe3088c6d5259cd9ddbbf223f58d480
Instruction Fuzzy Hash: 93118139A101186FCB05DFB8D84599E7BF2AF89214B2445B9D605E7264DB35A81A8B80

Uniqueness

Uniqueness Score: -1.00%

Function 00D80BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507803326.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 960887f8f801ff23403b413e9f40db54dc3bf85c8adaabf5f9c4b44eb026a079
Instruction ID: 99feecd59fc0585642c502d6813ed93364b033ea87f1f4befd2afa0a1be59374
Opcode Fuzzy Hash: 960887f8f801ff23403b413e9f40db54dc3bf85c8adaabf5f9c4b44eb026a079
Instruction Fuzzy Hash: 73119E36A10118AFCB04ABB8D845D9E7BF6BF88214B244579E605E7224EB35AC198BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00C3080A Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507682771.0000000000C30000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f60a75e22ffab2647ae25e77c52d31d9421fa37a5d5ae8876b14cd16d9652191
Instruction ID: 9b15ea8588b9b0f185afd23b614f206446688b8136e4d204a87922b692850c91
Opcode Fuzzy Hash: f60a75e22ffab2647ae25e77c52d31d9421fa37a5d5ae8876b14cd16d9652191
Instruction Fuzzy Hash: 2901D4B28093446FC301CB05AD41C92BFFCDF96620B08C4AEEC488B602D225A918CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C305E2 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507682771.0000000000C30000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c6a3f0a11b2f02a1e40726dd4924bedf4e36bb97ce15e51d3dfeedebf0c69a
Instruction ID: 8a02abb1908c9d610f30de94ea2a05e140b4f6dd2de6de8efa44569cdf94c3b5
Opcode Fuzzy Hash: d8c6a3f0a11b2f02a1e40726dd4924bedf4e36bb97ce15e51d3dfeedebf0c69a
Instruction Fuzzy Hash: 64F0A9BA5093846FD7128B069C40862FFA8EB86630749C4AFEC498B612D265AD08C771

Uniqueness

Uniqueness Score: -1.00%

Function 00C3082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507682771.0000000000C30000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a44250e0e3ca1a8f9f5b927e20221d215def5afae4ab81cabe9cbf7cf09ac039
Instruction ID: 4ec98554f8b8812e4adea2fb2347770a44327abc0497487704528d77a4a5db6e
Opcode Fuzzy Hash: a44250e0e3ca1a8f9f5b927e20221d215def5afae4ab81cabe9cbf7cf09ac039
Instruction Fuzzy Hash: FCF082B2805204AF9300DF05ED458A6F7ECDF94525F08C56AEC088B701E276A9198AE2

Uniqueness

Uniqueness Score: -1.00%

Function 00D80C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507803326.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a60e54d99a5d97e65db165b880a476cbd2225b1172797cd6fb13c5dd3e3837f2
Instruction ID: b2288fd816219268db85c8adff200b514188a789d9a001ebeba3def0e6121152
Opcode Fuzzy Hash: a60e54d99a5d97e65db165b880a476cbd2225b1172797cd6fb13c5dd3e3837f2
Instruction Fuzzy Hash: CFE0D861F183642FCB08DBF8945159D3FA1DB8A160B9445BD9048C7381DF3989028781

Uniqueness

Uniqueness Score: -1.00%

Function 00C30606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507682771.0000000000C30000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9bb49cc021d7c52cc957722d60d7977573ef9cf1cee8fb620bdb16bc5ea714a
Instruction ID: ba4623f40bd025db92d80784f69bbc8a7856f8b6ac7fdb2c71ec91b8b70ba0a2
Opcode Fuzzy Hash: e9bb49cc021d7c52cc957722d60d7977573ef9cf1cee8fb620bdb16bc5ea714a
Instruction Fuzzy Hash: 10E092BA6006045B9650CF0BED41462F7D8EB84630748C47FDC0D8B701E279B509CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D80C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507803326.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b742998c88a6a01a36096549025d4ab78f1caf9c81271fc661835879c474d3
Instruction ID: 2af02f387733a0156833442286e15f133c7895bfdedecdc183a9b08ee625824a
Opcode Fuzzy Hash: c4b742998c88a6a01a36096549025d4ab78f1caf9c81271fc661835879c474d3
Instruction Fuzzy Hash: 37D01271F142182B8B58EEF9984159E7AEA9B84164BA4447D9009D7340EE3999018780

Uniqueness

Uniqueness Score: -1.00%

Function 00D80E08 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507803326.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a09dcca14908730d48d30fc149d9797272f250117ac36d548f6ed288e88e8b
Instruction ID: 0b7a8c164f70f39f84208bd09a31e5716a66290c64eb5f67e9add8e11f0bcfd5
Opcode Fuzzy Hash: 65a09dcca14908730d48d30fc149d9797272f250117ac36d548f6ed288e88e8b
Instruction Fuzzy Hash: FDE0C2211493808FC706E3B898165983F605B8A200F49C1E698448B1E3C638EC49C791

Uniqueness

Uniqueness Score: -1.00%

Function 00D80DD1 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507803326.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fae7908557cb8396f1d4ec9b3e5a0cf5bb5faf216d39d43545c931e3f6c1a20
Instruction ID: 9f3d376bd045be25895b3fc0b5d03df765a6916150229cb3fd44db2adfd744ac
Opcode Fuzzy Hash: 5fae7908557cb8396f1d4ec9b3e5a0cf5bb5faf216d39d43545c931e3f6c1a20
Instruction Fuzzy Hash: 35E0C22420D2804FC702D338C8259593F71ABD2204F89C2EAC884CB1EBC628EC48CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009823F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507395762.0000000000982000.00000040.00000800.00020000.00000000.sdmp, Offset: 00982000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_982000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e68369b0af3616730d07cbd3a726766d501bb35ee9b1fa1a8ec3d5a727c850c3
Instruction ID: 81ddf7b5cbb931202c6d2d2379fdd24074fb86bf0430852e2b3177d7fa837ed9
Opcode Fuzzy Hash: e68369b0af3616730d07cbd3a726766d501bb35ee9b1fa1a8ec3d5a727c850c3
Instruction Fuzzy Hash: 3AD05E792096D14FD326AB2CC6A4B9937D8AB51718F4A44FAA800CB773C768D981D620

Uniqueness

Uniqueness Score: -1.00%

Function 009823BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507395762.0000000000982000.00000040.00000800.00020000.00000000.sdmp, Offset: 00982000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_982000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b64d37259a502dbed9d922b58d2bff0f3e9ed4804bcf037fbb6077edbdc4b7
Instruction ID: 19899139f0bb6e3eda0148e74a4a4c05c84d63ce85e07060804531898f1c7da1
Opcode Fuzzy Hash: c0b64d37259a502dbed9d922b58d2bff0f3e9ed4804bcf037fbb6077edbdc4b7
Instruction Fuzzy Hash: 15D05E342002814BC726EB0CC2E4F5937D8AB40B14F0644E9BC108B762C7A9D9C0DA00

Uniqueness

Uniqueness Score: -1.00%

Function 00D80E18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507803326.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4815ac73e8e4043eaa6c1186c96b9718b59615c562e7bdc3fc6525c3f3eaff36
Instruction ID: 58ca5a37327880f7cbc9f942b95c5f8d178d93bd026bd0f367e7f94d89b960c5
Opcode Fuzzy Hash: 4815ac73e8e4043eaa6c1186c96b9718b59615c562e7bdc3fc6525c3f3eaff36
Instruction Fuzzy Hash: 85C012312002048FC744B778D519A297B995BC4704F99C56458085B255CA78FC44C794

Uniqueness

Uniqueness Score: -1.00%

Function 00D80DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507803326.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3178c897e4dfdeeebb27261fa69e6b78f952f87736e0110d00067b39c3a84584
Instruction ID: 8e6f6b402069c3086dd3b579da959b34851f2845a23c1b70726adbdc55f621be
Opcode Fuzzy Hash: 3178c897e4dfdeeebb27261fa69e6b78f952f87736e0110d00067b39c3a84584
Instruction Fuzzy Hash: F7C012302002048FC704B778D419A26779667C0304F99C56494084B255CA78FC44C7D4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: unarchiver.exePID: 6128, Parent PID: 1028

General

Chronological Activities

Analysis Process: 7za.exePID: 3376, Parent PID: 6128

General

Chronological Activities

Analysis Process: conhost.exePID: 4416, Parent PID: 3376

General

Chronological Activities

Disassembly

Analysis Process: unarchiver.exePID: 6128, Parent PID: 1028COMMON

Execution Graph

Graph

Executed Functions

Function 0098B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Function 0098B246 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Windows Analysis Report
Proforma Invoice - Order Confirmation S0167655778 - MLS39876 -20242404 (2).pdf.rar

Function 0098B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 0098AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0098AB76 Relevance: 1.6, APIs: 1, Instructions: 92
pipeCOMMON

Function 0098A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Function 0098A120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Function 0098A50F Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0098AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0098A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Function 0098B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0098A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Function 0098A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Function 0098A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 0098A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Function 0098AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 0098A6D4 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON