Edit tour

Windows Analysis Report
upload (1).zip

Overview

General Information

Sample name:	upload (1).zip
Analysis ID:	1431508
MD5:	d118d8fe26bc2afef2c46651e45cdb7a
SHA1:	58db361724a555d6aa3d8d1fb6b2963602067fb2
SHA256:	f8eb12bfb8d3ff7fe304b2852cb531c5d99a6494f92d078e0fea9ecf2b7da73d
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

System is w10x64

unarchiver.exe (PID: 5896 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\upload (1).zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 4284 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\faox30la.tjv" "C:\Users\user\Desktop\upload (1).zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 5508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 0_2_01442589		0_2_01442589
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 0_2_0144247C		0_2_0144247C

Source: classification engine

Classification label: clean2.winZIP@4/1@0/0

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5508:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\upload (1).zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\faox30la.tjv" "C:\Users\user\Desktop\upload (1).zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\faox30la.tjv" "C:\Users\user\Desktop\upload (1).zip"	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 14E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 3190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 5190000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 2099			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 7870			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 7084	Thread sleep count: 2099 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 7084	Thread sleep time: -1049500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 7084	Thread sleep count: 7870 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 7084	Thread sleep time: -3935000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_0144B1D6 GetSystemInfo,

0_2_0144B1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\faox30la.tjv" "C:\Users\user\Desktop\upload (1).zip"

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	2 Virtualization/Sandbox Evasion	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
upload (1).zip	0%	Virustotal		Browse

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431508
Start date and time:	2024-04-25 11:11:39 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	upload (1).zip
Detection:	CLEAN
Classification:	clean2.winZIP@4/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 47 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .zip Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:12:58	API Interceptor	4439576x Sleep call for process: unarchiver.exe modified

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3327
Entropy (8bit):	4.965860050004042
Encrypted:	false
SSDEEP:	48:mj6KHGHGbHGHGp9GALGHGp3OGbxGCOG/G3GHGHGmiGHGMGHGmFI1ipYHwD35D:meSxFf6g3x
MD5:	390013F6951C9261D9FBE93F93AE22EB
SHA1:	32AE3ECF76DAD7C730FFF84C7F8700EACDB94518
SHA-256:	8E0ACC1C4E8BBAE24A3A649E876A1A98893845BBF204755FA03FDA8A8DDD358F
SHA-512:	DF0904B098D6B84F6C53A3D7EB813C33887D0448DBDEF033ACD11963A724A9928951B4EB71A923EE6E6245A89532FBD0D2D32D35C89D57A6B8F45AE75F92DE5C
Malicious:	false
Reputation:	low
Preview:	04/25/2024 11:12 AM: Unpack: C:\Users\user\Desktop\upload (1).zip..04/25/2024 11:12 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\faox30la.tjv..04/25/2024 11:12 AM: Received from standard out: ..04/25/2024 11:12 AM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..04/25/2024 11:12 AM: Received from standard out: ..04/25/2024 11:12 AM: Received from standard out: Scanning the drive for archives:..04/25/2024 11:12 AM: Received from standard out: 1 file, 195242 bytes (191 KiB)..04/25/2024 11:12 AM: Received from standard out: ..04/25/2024 11:12 AM: Received from standard out: Extracting archive: C:\Users\user\Desktop\upload (1).zip..04/25/2024 11:12 AM: Received from standard out: --..04/25/2024 11:12 AM: Received from standard out: Path = C:\Users\user\Desktop\upload (1).zip..04/25/2024 11:12 AM: Received from standard out: Type = zip..04/25/2024 11:12 AM: Received from standard out: Physical Size = 195242..04/25/2024 11:12 AM: Rec

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.998985447122467
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	upload (1).zip
File size:	195'242 bytes
MD5:	d118d8fe26bc2afef2c46651e45cdb7a
SHA1:	58db361724a555d6aa3d8d1fb6b2963602067fb2
SHA256:	f8eb12bfb8d3ff7fe304b2852cb531c5d99a6494f92d078e0fea9ecf2b7da73d
SHA512:	c6beea885892278855af0c70c08e3287f28cb7de24ac2652d15e7ac4d4053c285596c160f7990369da8364cd31500409736d948dfa853c37763ae34dc910cfbe
SSDEEP:	3072:kaELW9zf1YlRJEzsEKnrRlQLqscG9V9ACmljVBubDdnyziii3DG4Rus0jemZK:tELW97uEGM3cE9AuyzJclh0qmZK
TLSH:	5C14129D65B254C4F8072873E85A2FDD35EA7A47BFEB2031AEAA81A40DC04370DD7C25
File Content Preview:	PK...........X..............$.UiPath.Project.ni.dll.. ..........7.......7.......7......v...]nSY ...}.w8...g..ia..0.5.....&.QZ.....q.H#S@2.:5DM.-ij..#...,.,(r....>.Y........76i.....5V..%..w.y..6...$.BY..~..0M......H.&.;{...e.[".....Y..S..sX.e.......j5.F..t

File Icon


Icon Hash:	90cececece8e8eb0

Target ID:	0
Start time:	11:12:23
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\upload (1).zip"
Imagebase:	0xb40000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	11:12:23
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\faox30la.tjv" "C:\Users\user\Desktop\upload (1).zip"
Imagebase:	0x640000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:12:23
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	19.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.5%
Total number of Nodes:	73
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0144B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0144B208

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 5b5974b9c8eaf30dfcef34e6eb3de12a73782263859a3f3c1ddff923efa69b3d
Instruction ID: 2a8721ca9faad91fcc66e573bb7b4ad1956a8df2950427d0ede22cc8099d3520
Opcode Fuzzy Hash: 5b5974b9c8eaf30dfcef34e6eb3de12a73782263859a3f3c1ddff923efa69b3d
Instruction Fuzzy Hash: 8C018F715042409FEB10CF15D98976AFBE4EF05220F08C4ABDD098F356D375E404CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0144B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0144B2F3

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4e97f0b401a66f42d2173f0c1a407cca55bcaf6e76de519f3b9d6576956f1ebe
Instruction ID: 5d07bcc041b3f01fc18f69b50c6e5a36c47075452ee65c879ee9b014cd28381c
Opcode Fuzzy Hash: 4e97f0b401a66f42d2173f0c1a407cca55bcaf6e76de519f3b9d6576956f1ebe
Instruction Fuzzy Hash: 8E31D4725043446FE7228B65CC45FA7BFBCEF06210F0488AAE985CB562D374A919CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0144AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0144ADA7

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 19bbe26708f4bb5607a19ab010b426bd86ceca3f2f146fd9d2ef6ec61c2574ad
Instruction ID: 773f138dfe83be94ae194d42c04fd487c62699fccc35cf7af830140fa5e10447
Opcode Fuzzy Hash: 19bbe26708f4bb5607a19ab010b426bd86ceca3f2f146fd9d2ef6ec61c2574ad
Instruction Fuzzy Hash: 7931E7721043846FEB228B65CC44FA7BFECEF05214F0448AAF985CB562D374A819CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0144AB76 Relevance: 1.6, APIs: 1, Instructions: 91
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0144AC36

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: dd2f701ce1d089d84432492acb390c71a1879401d8fa08a946c7731c0e276ff7
Instruction ID: 0a30a1ba79d1af37c849e9b015e9606029f45e365933828b8043918636fe00b8
Opcode Fuzzy Hash: dd2f701ce1d089d84432492acb390c71a1879401d8fa08a946c7731c0e276ff7
Instruction Fuzzy Hash: 1531707250E3C05FD3138B758C65A51BFB4AF47210F1A84DBD8C4CF6A3D2696919C762

Uniqueness

Uniqueness Score: -1.00%

Function 0144A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0144A67D

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 85c959c0a58bda788076e22405047813abd316a141a72a975493ca6b0a037232
Instruction ID: 8a60e8a038dafe650752dde7fbd446a0e186b58e1cb8dc9cc85def58255587ee
Opcode Fuzzy Hash: 85c959c0a58bda788076e22405047813abd316a141a72a975493ca6b0a037232
Instruction Fuzzy Hash: F931B371504340AFE721CF65DD44F62BFE8EF45220F0888AEE9898B662D375E418CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0144A120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0144A1C2

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 87e3896d4a56ed2d2047caf93a7f26225e85a2a72320fcd8014bb06cd6b33a3b
Instruction ID: 9f4d0a9fd0ff5322b6a36116cc1c5501842a235f22783c7adcd4014b3ff68d66
Opcode Fuzzy Hash: 87e3896d4a56ed2d2047caf93a7f26225e85a2a72320fcd8014bb06cd6b33a3b
Instruction Fuzzy Hash: 8221E27150D3C06FD3128B25CC51BA2BFB4EF47614F0985DBD884CF693D265A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0144B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0144B2F3

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: de233a24e8c524bd420932c7ad2efdef9944ee5ee3376046e26a6484a73155a3
Instruction ID: 59cef5d516eb38847b4f2beedc4ae5754f130722f5ae57adeb37e8f3e7ac3e6d
Opcode Fuzzy Hash: de233a24e8c524bd420932c7ad2efdef9944ee5ee3376046e26a6484a73155a3
Instruction Fuzzy Hash: D321E072500204AFEB218F65CC45FABBBECEF04224F04886AE9458B662D770E4088BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0144A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,15469DAA,00000000,00000000,00000000,00000000), ref: 0144A40C

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8a0b135a005d15f04d716fad9f474c8b0c4c4caf668553d27c99440caf0fe3f6
Instruction ID: 3804712779a95bc3c1825b827a69d4c724c3614cb0714300c2d14ddcd0269b35
Opcode Fuzzy Hash: 8a0b135a005d15f04d716fad9f474c8b0c4c4caf668553d27c99440caf0fe3f6
Instruction Fuzzy Hash: F1217C76504740AFE721CB15CC84FA7BBF8AF05610F0884AAE946CB2A2D374E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0144AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0144ADA7

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b12885bfe8cb8c08fddeae9ba5fcc496efc1aeae25a80464777de3f69ead6c7b
Instruction ID: 390fcc36814be19298e16d747024df127b2d47d7c675120438b99d706c9cb0e2
Opcode Fuzzy Hash: b12885bfe8cb8c08fddeae9ba5fcc496efc1aeae25a80464777de3f69ead6c7b
Instruction Fuzzy Hash: 0A21E272100204AFEB218F64DD45FABBBECEF04224F04886AF9458B651D370E4198BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0144A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,15469DAA,00000000,00000000,00000000,00000000), ref: 0144A8DE

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0df5e5bfdbd854fac004a03af41ad7ec4af82ee77145ce530064fc47d4b4abb0
Instruction ID: b8fa8afdd57c03a5c5f471fdc6acefc224286b02e2cb75be342fd500887d03fe
Opcode Fuzzy Hash: 0df5e5bfdbd854fac004a03af41ad7ec4af82ee77145ce530064fc47d4b4abb0
Instruction Fuzzy Hash: 1921D6754083806FE7228B54DC44FA2BFB8EF46714F0888EBE9858F553C275A919C771

Uniqueness

Uniqueness Score: -1.00%

Function 0144A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,15469DAA,00000000,00000000,00000000,00000000), ref: 0144A9C1

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: b7929519a7f36ac838eec4bfce318edc3ea7d5850dbe6bc014672ccbc4498be3
Instruction ID: c29b0137fad2859cad0e491a26c3e4773dd93b1260b1c2572c1d4ac8e41b6529
Opcode Fuzzy Hash: b7929519a7f36ac838eec4bfce318edc3ea7d5850dbe6bc014672ccbc4498be3
Instruction Fuzzy Hash: B62183714093806FDB22CF55DD44F96BFB8EF46214F0888DAE9859B162C375A518CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0144A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0144A67D

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 57a63f65840283cf96fa73487799516830f18356df1e038fc5359d9d1b6e974d
Instruction ID: f127e635baac93112c76856bd058ebc9c246dc1030deed2f78022920d1566a13
Opcode Fuzzy Hash: 57a63f65840283cf96fa73487799516830f18356df1e038fc5359d9d1b6e974d
Instruction Fuzzy Hash: 56219272500200AFE721DF65DD45F66FBE8EF48214F14886AE98A8B762D375E418CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0144A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,15469DAA,00000000,00000000,00000000,00000000), ref: 0144A815

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: b14b7c2618f9bd1ea06e196f3204933350c3861f4df887e78c92a42f71b3b4b5
Instruction ID: 9d5a73bd229a1933f352e34fc43ddc08f6d08006d108ed8309657697f1c96f87
Opcode Fuzzy Hash: b14b7c2618f9bd1ea06e196f3204933350c3861f4df887e78c92a42f71b3b4b5
Instruction Fuzzy Hash: EA21D5B54083806FE7228B55DC45BA2BFB8EF47324F0884DBE9858B293D274A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 0144AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0144AA8B

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: dc61d9ad0db82990e933977988a2a04b8235b98cd7d223e85aa931860e264cbd
Instruction ID: bda0743618b26803b22c94e536dc6a69804613c5793d31dab831e7ac70c5c6d1
Opcode Fuzzy Hash: dc61d9ad0db82990e933977988a2a04b8235b98cd7d223e85aa931860e264cbd
Instruction Fuzzy Hash: C221AF755083805FEB12CB29DC55B92BFE8AF46314F0D84EAE985CB2A3D235D909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0144A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,15469DAA,00000000,00000000,00000000,00000000), ref: 0144A40C

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8f11e59377bd8d467c0bbdec2b40eb4e76945b330e8e18ee12c1e979d9f0544d
Instruction ID: fdd0315f625ccc0440b7f1da1e9685da4708239441c5a2c4a73c49f30ea29307
Opcode Fuzzy Hash: 8f11e59377bd8d467c0bbdec2b40eb4e76945b330e8e18ee12c1e979d9f0544d
Instruction Fuzzy Hash: 3F2181766006049FF721CF15CC89FA7B7ECEF04610F14846AE9468B762D7B0E909CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0144A6D4 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0144A748

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0b4428e52c0f15c272327e5f8afb4f556559002607512a0e2f8ec4ce457ce367
Instruction ID: 0bb78277cdcd535bb58421f6931e614435f48d863a04d3882d10e9648be188d9
Opcode Fuzzy Hash: 0b4428e52c0f15c272327e5f8afb4f556559002607512a0e2f8ec4ce457ce367
Instruction Fuzzy Hash: 022184B55097C05FD7128B29DC55792BFB4EF07320F0984DBDC868B6A3D2759908C762

Uniqueness

Uniqueness Score: -1.00%

Function 0144A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,15469DAA,00000000,00000000,00000000,00000000), ref: 0144A9C1

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e01b4e5091414b152d039c695fa7f5485aeebd75160bc59cb9c797fe1a52ad85
Instruction ID: 43d31e9448051e03f0974ab7e70f52cfbb98675c000236ed3dfa97b08a63b9cb
Opcode Fuzzy Hash: e01b4e5091414b152d039c695fa7f5485aeebd75160bc59cb9c797fe1a52ad85
Instruction Fuzzy Hash: 1D110176500300AFEB21CF55DD44FAAFBE8EF04324F18886AE9468B652C375A408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0144A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,15469DAA,00000000,00000000,00000000,00000000), ref: 0144A8DE

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 95643159197fbeaab5e1be8a747cbdebd3b170e600c494837f06c699a592baad
Instruction ID: b434e5a5c4fc315f173fdf310504bf4548d1a32a4888f3527b23e059bd64b069
Opcode Fuzzy Hash: 95643159197fbeaab5e1be8a747cbdebd3b170e600c494837f06c699a592baad
Instruction Fuzzy Hash: 33112376500300AFFB21CF54DD48BA6FBE8EF44324F1488AAED468B651C370A408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0144A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0144A30C

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 80405fdfb585c7c2c108464f5228068d2b923374a1d2410e38bd36fa0332d1be
Instruction ID: 27910d8aa64a4ddfb97cc20e06ae7202d49281c429b192e4912f6f821ade4f01
Opcode Fuzzy Hash: 80405fdfb585c7c2c108464f5228068d2b923374a1d2410e38bd36fa0332d1be
Instruction Fuzzy Hash: 0A1191754093C0AFD7228B25DC54A52BFB4EF07220F0980DBD9858F263D275A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0144AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0144AA8B

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 400d1f76400769e9e49f691c3e6e2c1d471d669ff6a1191e22e59b9597798d8b
Instruction ID: 27af3967b346edda321ca74ff7a63d0bec1df01fbd5e1cf65c1678b322eaef1c
Opcode Fuzzy Hash: 400d1f76400769e9e49f691c3e6e2c1d471d669ff6a1191e22e59b9597798d8b
Instruction Fuzzy Hash: E0115E766042409FEB10CF29D989B66BBD8EF45220F18C4AADD4ADB752E375E408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0144A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,15469DAA,00000000,00000000,00000000,00000000), ref: 0144A815

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 1c2c0fedf8894dde5c1c707049c3c132f9d97b277bc93b68cddbad6ba12e0bd8
Instruction ID: 748bc5678183fadcd6c352f92f5f4f475f86048d3240dd6e42a24eeaf4de1b3d
Opcode Fuzzy Hash: 1c2c0fedf8894dde5c1c707049c3c132f9d97b277bc93b68cddbad6ba12e0bd8
Instruction Fuzzy Hash: 33012672504300AFF720CB05DD49BB6FBD8EF04624F14C4A6ED058B792D3B4A8098AB1

Uniqueness

Uniqueness Score: -1.00%

Function 0144AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0144AFE4

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 25c64e79133b745ba2da121c97e012010c34552f355545a4f65853028aef56c2
Instruction ID: 4634c6709af85083659d890edb945ddffa8b6c5a7d75cbf88f528fd40d1e8420
Opcode Fuzzy Hash: 25c64e79133b745ba2da121c97e012010c34552f355545a4f65853028aef56c2
Instruction Fuzzy Hash: F911A0755093C0AFD7128F25DC45B52BFF4EF06221F0984DBED858B263D275A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0144B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0144B208

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 9e31441665a1b952dd46c0bcfabcc84faa05df42a4930f8c5a2d72a35181793a
Instruction ID: f2f52daa89a37cdafab1cd678ce41e4924679fc7369dc775564ed78b44a4ba6e
Opcode Fuzzy Hash: 9e31441665a1b952dd46c0bcfabcc84faa05df42a4930f8c5a2d72a35181793a
Instruction Fuzzy Hash: 8B1173715093809FD712CF25DC44B56BFB4EF46220F0884DBDD858F263D275A508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0144ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0144AC36

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: bd6844d3a406a74681016d60a5d55309877920249191c71f544d5e9b92090797
Instruction ID: 8c50a32123f689fda87ac82d7ef599d84aff2296dff58522dd222aa18d282130
Opcode Fuzzy Hash: bd6844d3a406a74681016d60a5d55309877920249191c71f544d5e9b92090797
Instruction Fuzzy Hash: FE019E71600200ABD250DF16CD45B66FBA8EB88A20F14856AEC089B741D771F925CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0144A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0144A1C2

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 454dc92f3563a8ba2d84bff0ce50f3061604c4adc40f73d41391006b150c93a4
Instruction ID: c9b2a062ca46159bcc1d77f4fd295a7ba20150cd042cf016d16fa956a020671f
Opcode Fuzzy Hash: 454dc92f3563a8ba2d84bff0ce50f3061604c4adc40f73d41391006b150c93a4
Instruction Fuzzy Hash: 1501B171600200ABD350DF16CD45B76FBE8EB88A20F14856AEC089B741D775F915CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0144A716 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0144A748

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c3b2a9377329c88ec33ebba8bb65de537c3935a858aadcb78c516c77d63513a4
Instruction ID: 153f93d58747434c4dd946831c704fe8315de899d5c8d132e5235af898cd7d92
Opcode Fuzzy Hash: c3b2a9377329c88ec33ebba8bb65de537c3935a858aadcb78c516c77d63513a4
Instruction Fuzzy Hash: 5D0184755046409FEB20DF15D9897A6FBE4EF05220F18C4ABDD068F752D375E444CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0144AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0144AFE4

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: d5189bd7482c6ea62d4a94e71934b87d934d7e2ef4c07798f507480f07efe4a1
Instruction ID: 1ed4db503916eea6fee1724910fa2e967b1aa41c18f67abd4f537f18c8e22760
Opcode Fuzzy Hash: d5189bd7482c6ea62d4a94e71934b87d934d7e2ef4c07798f507480f07efe4a1
Instruction Fuzzy Hash: B4012D755002409FEB108F15DC897A6FBD4EF04221F08C0ABDD064B762D375E448CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0144A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0144A30C

Memory Dump Source

Source File: 00000000.00000002.4458230661.000000000144A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a33388599c9218f0ec5c8fb92d6b4e389615f3743c87736b1ced1b7dba30c85d
Instruction ID: 04a214e53c6e5b9e248c301007f38c9748322bcc21ba571084d03eb45cb082da
Opcode Fuzzy Hash: a33388599c9218f0ec5c8fb92d6b4e389615f3743c87736b1ced1b7dba30c85d
Instruction Fuzzy Hash: 9AF0AF365042409FEB209F05D989766FBE4EF04625F18C09ADD0A4B766E3B5A408CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 01700C99 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

KM*, xrefs: 01700D6E, 01700D73

Memory Dump Source

Source File: 00000000.00000002.4458464722.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_unarchiver.jbxd

Similarity

API ID:
String ID: KM*
API String ID: 0-3388775369
Opcode ID: 612a25a218efa45372f4561a7258a0f6d312ba7a63c129871c104f17de40f00d
Instruction ID: e542e7c763230da801b2f0ef60ba2587a337f79fc9d8ebcfb1f3c049363cf9bf
Opcode Fuzzy Hash: 612a25a218efa45372f4561a7258a0f6d312ba7a63c129871c104f17de40f00d
Instruction Fuzzy Hash: A421B830B003048BCB55EB7A98017AFBAD7EFC8244B04843CE542DB345CF7AAD428B92

Uniqueness

Uniqueness Score: -1.00%

Function 01700CA8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

KM*, xrefs: 01700D6E, 01700D73

Memory Dump Source

Source File: 00000000.00000002.4458464722.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_unarchiver.jbxd

Similarity

API ID:
String ID: KM*
API String ID: 0-3388775369
Opcode ID: ee3c8063aae0b2af2854c0a3c9a77f6ce098cca6f0136e49a8eac1a3d526b86a
Instruction ID: 2db3cb91afe6c4b6566ae6bd2773f33313b2cfa793edd30268b23fe02a5454da
Opcode Fuzzy Hash: ee3c8063aae0b2af2854c0a3c9a77f6ce098cca6f0136e49a8eac1a3d526b86a
Instruction Fuzzy Hash: FD214430B003048BCB15EB7A94457AFBBD7AFC9608B44882CD146DB385DF79AD468792

Uniqueness

Uniqueness Score: -1.00%

Function 017002C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458464722.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3197b363ad5e407fdc31275c4d46bf437b5535993a6e16e55c62a700589889d6
Instruction ID: 0d79b146a1e5b7b798d09b95a4e4b60c96aba50fe27c01cee825e66f7b1bcdd8
Opcode Fuzzy Hash: 3197b363ad5e407fdc31275c4d46bf437b5535993a6e16e55c62a700589889d6
Instruction Fuzzy Hash: 5FB14B74601300EFCB15DF66E858A5E7BF2FF88790B148568E906973A9DF389C85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01700799 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458464722.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4828a5d1fa9996eeea4e79dfdbcdf44242a95be3dda37b67ad784751988fd84
Instruction ID: a0d0cbf16596b994347093717547c250128ea1ed63dc935a8199a1f184f90b0e
Opcode Fuzzy Hash: a4828a5d1fa9996eeea4e79dfdbcdf44242a95be3dda37b67ad784751988fd84
Instruction Fuzzy Hash: C6A19C31B003009BDB159BB5D8597BEB7E2FB88358F148469E906973A5DF789C42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017307A4 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458479082.0000000001730000.00000040.00000020.00020000.00000000.sdmp, Offset: 01730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1730000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ad695a006a2fcdc5edd310c363aff3482c0c55011f81539c9d8f7401503317
Instruction ID: 3862d18db1b716c76fabcb491c844e9f87c9807de0e67869c0635457c325256e
Opcode Fuzzy Hash: 37ad695a006a2fcdc5edd310c363aff3482c0c55011f81539c9d8f7401503317
Instruction Fuzzy Hash: 5121B5B6404204AFD210DF05ED45CA7FBECEF85520B04C56EFC498B601E276A9198BF2

Uniqueness

Uniqueness Score: -1.00%

Function 01700B8F Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458464722.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e3a231353d2a76515642de88b806107ee33dd4e0df741702d99835cb495936
Instruction ID: 5e1c94a8cf742db11281b938a5dcfb01741511ca1776f6be93f0ceccabb4852f
Opcode Fuzzy Hash: 43e3a231353d2a76515642de88b806107ee33dd4e0df741702d99835cb495936
Instruction Fuzzy Hash: 5711B135A10218AFCB549BB4E845DEE77F6EB88214B24457DE505E7260DB39AC1A8BC0

Uniqueness

Uniqueness Score: -1.00%

Function 01700BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458464722.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c2e2ea0b7016d9b9781306c2b6d1aa0c646608d2e2b39e9d02be5cada13a57
Instruction ID: eac137599f580e02dc27c6f90e4ddf7474d0cac4ef2b8e62a33aafae62ba5a0d
Opcode Fuzzy Hash: 89c2e2ea0b7016d9b9781306c2b6d1aa0c646608d2e2b39e9d02be5cada13a57
Instruction Fuzzy Hash: 01119131A10218AFCB149BB4D845D9F77F6FB88214B154579E605E7360EF39AC1A87C0

Uniqueness

Uniqueness Score: -1.00%

Function 01730809 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458479082.0000000001730000.00000040.00000020.00020000.00000000.sdmp, Offset: 01730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1730000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c04b02727b851a0fdce8e29d4a67d0219ce1cb4c6f017ff9aeb7088a621e6d9
Instruction ID: d51552d88c0e6ecd3ee13937594ecf91e94ffeafd0c3e88fc7a9320c9b2ab782
Opcode Fuzzy Hash: 8c04b02727b851a0fdce8e29d4a67d0219ce1cb4c6f017ff9aeb7088a621e6d9
Instruction Fuzzy Hash: 1701B5B64096446FC301DB15EC41C57BBFCDF96520F04C96AEC448B611D226B9198BA2

Uniqueness

Uniqueness Score: -1.00%

Function 017305E1 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458479082.0000000001730000.00000040.00000020.00020000.00000000.sdmp, Offset: 01730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1730000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e2f6507af8c48f4048811cf0c00043d564d945a7d7c114afa29a135590d781
Instruction ID: a5af4da938860ad8a1e56c32b6a6f48e3ba71b8af4a1fbeae4ef6ef5d92a59ee
Opcode Fuzzy Hash: e3e2f6507af8c48f4048811cf0c00043d564d945a7d7c114afa29a135590d781
Instruction Fuzzy Hash: 810186765097405FD7118F06EC45862FBE8EF86620709C4AFEC498B652D275B918CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0173082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458479082.0000000001730000.00000040.00000020.00020000.00000000.sdmp, Offset: 01730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1730000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029e3844a248cac6a823577c0d26ee907db8feae6dd73a4177fbf13daee16bd9
Instruction ID: d9c1f3c948c08c7487ccfc20df1f7d0fcbea6d7beac688bd33ef99f661dbad8b
Opcode Fuzzy Hash: 029e3844a248cac6a823577c0d26ee907db8feae6dd73a4177fbf13daee16bd9
Instruction Fuzzy Hash: BEF082B2805604AF9240DF09ED458A6F7ECEF84521F04C53EEC098B700E276A9194AF2

Uniqueness

Uniqueness Score: -1.00%

Function 01700C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458464722.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 322a6775b4da5cd4829187a2cf3707fe87ad571b4f0bda2cc5feca694d9f4e62
Instruction ID: cd5ee76e4a5aba915ea52fdad516db58a4463c1b9f67c3b3080bbe4c95768a03
Opcode Fuzzy Hash: 322a6775b4da5cd4829187a2cf3707fe87ad571b4f0bda2cc5feca694d9f4e62
Instruction Fuzzy Hash: 91E0DF31F143141FCB88DEF998415EEBFE6EB852A0B2045BE8008D7391FB3898028781

Uniqueness

Uniqueness Score: -1.00%

Function 01730606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458479082.0000000001730000.00000040.00000020.00020000.00000000.sdmp, Offset: 01730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1730000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3fc6cc69bfa39eedcef56cf0835d3f9efb99b63034813e1744c366238cc0a6f
Instruction ID: 8e02c828bcffe1228f678c820fbeb5e3311e1bf9802764baa26ac2f456978b40
Opcode Fuzzy Hash: b3fc6cc69bfa39eedcef56cf0835d3f9efb99b63034813e1744c366238cc0a6f
Instruction Fuzzy Hash: 15E092BA6046004B9650CF0AEC854A2F7D8EB84630708C07FDC0D8B711D276B509CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 01700C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458464722.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e74d8502d9ec546838ed045df94b88bf3ad53a4871dbc6ccb2f79035747fa7
Instruction ID: 0805a7c966d0b080e873c2e991f97c97ee94c9041e091d4dcca80969c2baa81b
Opcode Fuzzy Hash: f8e74d8502d9ec546838ed045df94b88bf3ad53a4871dbc6ccb2f79035747fa7
Instruction Fuzzy Hash: 77D01231F442182B8B48DEF9584159E7AEA9B84194B64447D900DD7340FE3998018791

Uniqueness

Uniqueness Score: -1.00%

Function 01700DD1 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458464722.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a04c795a864453a818ba4a6b1b98fd451c14c9627ca9b4b097b498804d6551d
Instruction ID: 301fae0986684612cf14bd9d4442956620fbab52291fc79f05fb594ab7a9102e
Opcode Fuzzy Hash: 4a04c795a864453a818ba4a6b1b98fd451c14c9627ca9b4b097b498804d6551d
Instruction Fuzzy Hash: 3DE0C2301503048FC7466B68E80A6E437E1EB812A0F0581A5D4048B1A2CB78AC85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01700E08 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458464722.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92e96bf97999a11e0bacfb42fcb439a4182284b7ec0e3611c74fc7df55c4346
Instruction ID: 5aa146ff5664a94eac80a136c7186972fb6a133edfb1d5d732a10d3b72dcf63b
Opcode Fuzzy Hash: a92e96bf97999a11e0bacfb42fcb439a4182284b7ec0e3611c74fc7df55c4346
Instruction Fuzzy Hash: FBE0CD301043048FC746A774D81D5B4BBE4EB96214F45C1A9D845971A6C77C9C45CB00

Uniqueness

Uniqueness Score: -1.00%

Function 014423F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458215238.0000000001442000.00000040.00000800.00020000.00000000.sdmp, Offset: 01442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1442000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d46f32fc2120e852a28b8bec2c2bfb7ee3366dffe1ba9042842378e1192db7a
Instruction ID: b772707342cb3396139f3200ef61aa905257e92948f85f1eb61367fe64cf708d
Opcode Fuzzy Hash: 6d46f32fc2120e852a28b8bec2c2bfb7ee3366dffe1ba9042842378e1192db7a
Instruction Fuzzy Hash: E3D05B752056D14FF3169B1CD558F963BE4AB51715F4644FAA800CBB73C768D581D500

Uniqueness

Uniqueness Score: -1.00%

Function 014423BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458215238.0000000001442000.00000040.00000800.00020000.00000000.sdmp, Offset: 01442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1442000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d5b7c5fe2e85e9ce26755ae57acd7dab458dca5ee41aa18b344be8597e1859b
Instruction ID: 21c76c0887101047483ca08d1dd83b0e929b2b4f32802b61acc0f7b777dfc31f
Opcode Fuzzy Hash: 9d5b7c5fe2e85e9ce26755ae57acd7dab458dca5ee41aa18b344be8597e1859b
Instruction Fuzzy Hash: F4D05E342002814BE725DA1CD6D4F5A3BE4AB40714F0648EABC108B772C7B4D8C0DA00

Uniqueness

Uniqueness Score: -1.00%

Function 01700E18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458464722.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699477edad3b514fcbd1b0240b86698dfa3997753ec3ab40ba73f777037b2a7b
Instruction ID: 297dd74560f06ff9ca462b2c1ed1abbcb6c01cf8e5b1d27994d10ddeb65f9947
Opcode Fuzzy Hash: 699477edad3b514fcbd1b0240b86698dfa3997753ec3ab40ba73f777037b2a7b
Instruction Fuzzy Hash: 95C01230200304CBC705B778D91DB29B7D957D9614F84C164A5081B295CF78EC50C684

Uniqueness

Uniqueness Score: -1.00%

Function 01700DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458464722.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f374e33cbac5c97d117b71d19b4bc1e183d24d1bf84208b73d9e70c05085bc62
Instruction ID: 9d633d8b0e1f082ff98e47c62fe162ffb996072b3757a85acb13b86fbd6c11a9
Opcode Fuzzy Hash: f374e33cbac5c97d117b71d19b4bc1e183d24d1bf84208b73d9e70c05085bc62
Instruction Fuzzy Hash: AAC01230200304CBD705B778D819B25B7DA67D4214F45C164A5085B295CB78EC90C6C4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0144247C Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458215238.0000000001442000.00000040.00000800.00020000.00000000.sdmp, Offset: 01442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1442000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4bf392fe7e425a25dd6f00e8439567e4112b07b3a1bf9e26a531cfb1c221cc
Instruction ID: 6641ab434327266fd236d442dcbfb5e251865ad0922f0f7fc3a9050bfa29dd91
Opcode Fuzzy Hash: 9a4bf392fe7e425a25dd6f00e8439567e4112b07b3a1bf9e26a531cfb1c221cc
Instruction Fuzzy Hash: FF81766140EBC58FD7178F3498A6044BFB0AE93224B0E4ACFC8D4CF1A7D3689959C766

Uniqueness

Uniqueness Score: -1.00%

Function 01442589 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458215238.0000000001442000.00000040.00000800.00020000.00000000.sdmp, Offset: 01442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1442000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a818d22c3516f92b23e2d66ed3781bccc27496833a8f3c99d4ee92bee90b6fa3
Instruction ID: 0b2d9518d3b2587f61c6835a986a53f34e6d1b7fac8b1220f080517ba7da4563
Opcode Fuzzy Hash: a818d22c3516f92b23e2d66ed3781bccc27496833a8f3c99d4ee92bee90b6fa3
Instruction Fuzzy Hash: 1351492140EBC19FDB1B8B3498A5444BF70EE9322871E4ACFC8D4CF5A7D3688819C726

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report upload (1).zip

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: unarchiver.exePID: 5896, Parent PID: 1028

General

Chronological Activities

Analysis Process: 7za.exePID: 4284, Parent PID: 5896

General

Chronological Activities

Analysis Process: conhost.exePID: 5508, Parent PID: 4284

General

Chronological Activities

Disassembly

Analysis Process: unarchiver.exePID: 5896, Parent PID: 1028COMMON

Execution Graph

Graph

Callgraph

Executed Functions

Function 0144B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Function 0144B246 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Windows Analysis Report
upload (1).zip

Function 0144B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 0144AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0144AB76 Relevance: 1.6, APIs: 1, Instructions: 91
pipeCOMMON

Function 0144A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Function 0144A120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Function 0144B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0144A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Function 0144AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0144A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Function 0144A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Function 0144A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 0144A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Function 0144AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 0144A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Function 0144A6D4 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON