Edit tour

Windows Analysis Report
MDE_File_Sample_445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5.zip

Overview

General Information

Sample name:	MDE_File_Sample_445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5.zip
Analysis ID:	1431753
MD5:	d597d940161f3c3c437f2f1f2cb6405c
SHA1:	eb8acbaa66d79ae0f9031ae1b1dc198165fcec3c
SHA256:	620d38cf0ff1591d745cc9aa6813b53f863477772609c3dbd9e563bfc2905014
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

System is w10x64

unarchiver.exe (PID: 6896 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\MDE_File_Sample_445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 4908 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\zr5e5itz.egn" "C:\Users\user\Desktop\MDE_File_Sample_445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 1804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: classification engine

Classification label: clean2.winZIP@4/1@0/0

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1804:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\MDE_File_Sample_445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5.zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\zr5e5itz.egn" "C:\Users\user\Desktop\MDE_File_Sample_445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5.zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\zr5e5itz.egn" "C:\Users\user\Desktop\MDE_File_Sample_445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5.zip"	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 2840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 4840000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 3864			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 6105			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 1456	Thread sleep count: 3864 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 1456	Thread sleep time: -1932000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 1456	Thread sleep count: 6105 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 1456	Thread sleep time: -3052500s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_0086B1D6 GetSystemInfo,

0_2_0086B1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\zr5e5itz.egn" "C:\Users\user\Desktop\MDE_File_Sample_445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5.zip"

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	2 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431753
Start date and time:	2024-04-25 18:16:30 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MDE_File_Sample_445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5.zip
Detection:	CLEAN
Classification:	clean2.winZIP@4/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 45 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .zip Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:17:48	API Interceptor	3892981x Sleep call for process: unarchiver.exe modified

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3429
Entropy (8bit):	5.08605792117111
Encrypted:	false
SSDEEP:	48:6qCR2GbdGdGpjGvGdGpYtGbfGPtGFGzGdGdGmiGdGEGdGm9mL1VdddpoF/U0AjD6:6qFqVdddSWl3NQF
MD5:	08BAFBAF3B40951E97862351EAF15645
SHA1:	00C7EA92FA26265B8715E76AB8BEB38BCBC265F1
SHA-256:	F29128F2792CD48B63803BB7E966063640E886573C47DF9DAE9A9111C32389AE
SHA-512:	324DF378EDFC51A30C1FB8C401D7947EE2BC933219FBACC9A5D49732D70D1FB5AF1F45C2296E945A5CC9E138CCCFD660BC7982B8EB8DE1E1BBB05D87AE491DD9
Malicious:	false
Reputation:	low
Preview:	04/25/2024 6:17 PM: Unpack: C:\Users\user\Desktop\MDE_File_Sample_445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5.zip..04/25/2024 6:17 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\zr5e5itz.egn..04/25/2024 6:17 PM: Received from standard error: ERROR: Wrong password : EDownloader.exe..04/25/2024 6:17 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..04/25/2024 6:17 PM: Received from standard out: ..04/25/2024 6:17 PM: Received from standard out: Scanning the drive for archives:..04/25/2024 6:17 PM: Received from standard out: 1 file, 636435 bytes (622 KiB)..04/25/2024 6:17 PM: Received from standard out: ..04/25/2024 6:17 PM: Received from standard out: Extracting archive: C:\Users\user\Desktop\MDE_File_Sample_445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5.zip..04/25/2024 6:17 PM: Received from standard out: --..04/25/2024 6:17 PM: Received from standard out: Path = C:\Users\user\Desktop\MDE_File_Sample_445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.999765882981263
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	MDE_File_Sample_445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5.zip
File size:	636'435 bytes
MD5:	d597d940161f3c3c437f2f1f2cb6405c
SHA1:	eb8acbaa66d79ae0f9031ae1b1dc198165fcec3c
SHA256:	620d38cf0ff1591d745cc9aa6813b53f863477772609c3dbd9e563bfc2905014
SHA512:	c2a90fcd44f1df1c289f71afb97cbd45be69ecd075276f9dc6d1793dcdfb4e2bff17ac9dd0124d0c2cb6dbbf4827406dcb9e63d28d6a26ef9b2c64ae1fd63516
SSDEEP:	12288:KXUgbJlVRNUGJHPEOQVS+m7DtNwqIeBOR5UHAsusCThKKYzQei0n:m3JRRVPfnPwXsusCTgKgH
TLSH:	61D423D0E87348B67833C0B5CABB495E5C4733A1AB429883BA95970DF974198FCB17B1
File Content Preview:	PK...........XW..FK...PC....$.EDownloader.exe.. .........$UP.+...#UP.+....UP.+...z}.G.1...U.\|Y...0........x..2....S...m..9.....E....X....3.....g*W.G...}o..-d........k5.....0.&..... .....$.[`......yMg...L.....h...YaKs\......b....G..#.=7.Yf..L........u.Ik..

File Icon


Icon Hash:	90cececece8e8eb0

Target ID:	0
Start time:	18:17:15
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\MDE_File_Sample_445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5.zip"
Imagebase:	0x270000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	18:17:15
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\zr5e5itz.egn" "C:\Users\user\Desktop\MDE_File_Sample_445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5.zip"
Imagebase:	0xa20000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:17:15
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	20.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	73
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0086B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0086B208

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 4efa02cebee49b7fde33ae7408e934dae5783c9b89ef13fed85133d566e3da8c
Instruction ID: cb1427358dd2a03e039d43cebbad5171a32635103fac95e6488284ce25734fde
Opcode Fuzzy Hash: 4efa02cebee49b7fde33ae7408e934dae5783c9b89ef13fed85133d566e3da8c
Instruction Fuzzy Hash: 59018F719002449FDB10CF55D985766FBE4EF05328F08C4AADD48CF756D379A544CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0086B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0086B2F3

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e542091ce744106dfdd5a61e7baff28cd5131e6ca92d591e1a35cddd5fc2c0b2
Instruction ID: 061a5e0c76ca8bed38c5bc0a75b5e54def0996cf18c1c0c15de29df9ced3eba2
Opcode Fuzzy Hash: e542091ce744106dfdd5a61e7baff28cd5131e6ca92d591e1a35cddd5fc2c0b2
Instruction Fuzzy Hash: 4A31E671504344AFE7228B61CC44FA6BFFCEF16324F04849AE985CB662D324E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0086AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0086ADA7

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3e0d2ae4c03401eabd0cdfbf9802caced86f489fbf2c5d444ff20e154fbd29a5
Instruction ID: 9a925042184a5b3c54f5dda7eb15299c7c9d93acb97a739a6327f06861481b78
Opcode Fuzzy Hash: 3e0d2ae4c03401eabd0cdfbf9802caced86f489fbf2c5d444ff20e154fbd29a5
Instruction Fuzzy Hash: A431D371104344AFEB228B61CC44FA7BFBCEF1A214F04889AF985DB552D324E919CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0086AB76 Relevance: 1.6, APIs: 1, Instructions: 93
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0086AC36

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 230787894259ec4df127b3621013ee667051bc78c11268e0b6a6a3d2b548f806
Instruction ID: 3bbcbf411c84c65d5448b07d33bbfba8676bd149e451f607e13365c40a929c4d
Opcode Fuzzy Hash: 230787894259ec4df127b3621013ee667051bc78c11268e0b6a6a3d2b548f806
Instruction Fuzzy Hash: 7931817150D3C05FD3138B658C65A65BFB8AF47610F1A84CBD8C4CF6A3D229A919C772

Uniqueness

Uniqueness Score: -1.00%

Function 0086A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0086A67D

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fcb8f01dc1ef46106e03098a02357a08aabf68f5703676127179cb92152af35a
Instruction ID: 269aa5838cae38486a24f8ba17439f64b8ca3e21db095223368580190912cf1d
Opcode Fuzzy Hash: fcb8f01dc1ef46106e03098a02357a08aabf68f5703676127179cb92152af35a
Instruction Fuzzy Hash: 9D319371505340AFE721CF65DC44F62BBE8EF19210F08849EE985DB652D375E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0086A120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0086A1C2

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 44bea33eb309759248245fb6f154033600dc552376193bb3ff13a7c36700ab73
Instruction ID: 475705cd57154d86247ac4d75ac07568b441f73de6f49105f033bc0e613b1f86
Opcode Fuzzy Hash: 44bea33eb309759248245fb6f154033600dc552376193bb3ff13a7c36700ab73
Instruction Fuzzy Hash: A721B07150D3C06FD3128B258C51BA6BFB4EF87624F1985CBD884CF693D225A91AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0086AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0086ADA7

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eed21db57084fd23a636b294c85b7f27dbb9c3db986bf3a27b052675bef3947d
Instruction ID: da9c9dec5e154423182ddddc728849585a7e40b3c9391c5e5f2333fa2ab1024b
Opcode Fuzzy Hash: eed21db57084fd23a636b294c85b7f27dbb9c3db986bf3a27b052675bef3947d
Instruction Fuzzy Hash: 3621B272500204AFEB218F65DC84FABFBECEF18314F04886AE945DBA51D775E5488BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0086B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0086B2F3

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0be91c3bcb503eb46274530793a00d2d300680a7b58d78ea15bf170cd86b7d4f
Instruction ID: 908ad27e9024923db7dbf8142384723200ba5beb8d39b09afcfd05a1a5c817fa
Opcode Fuzzy Hash: 0be91c3bcb503eb46274530793a00d2d300680a7b58d78ea15bf170cd86b7d4f
Instruction Fuzzy Hash: 5921C772500204AFEB218F55DC44FAAF7ECFF18314F04886AE945CB651D775E5488B71

Uniqueness

Uniqueness Score: -1.00%

Function 0086A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,2001AEB4,00000000,00000000,00000000,00000000), ref: 0086A40C

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a4db02087cc486cbaaf1f2f36e904a5ed4a43021b8c190da0fb67559439ce163
Instruction ID: 85459593970fdf2a5f7f297d48b5ab82c5705a87a0f0d48dfed8e050fa67eb21
Opcode Fuzzy Hash: a4db02087cc486cbaaf1f2f36e904a5ed4a43021b8c190da0fb67559439ce163
Instruction Fuzzy Hash: BB218B75604740AFD721CF11DC84FA2BBF8EF05710F08849AE985DB292D364E908CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0086A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,2001AEB4,00000000,00000000,00000000,00000000), ref: 0086A8DE

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 53bfecf90e1c4c6a46862c67c548f520dd6136edc815cec3a9bce3571865afe7
Instruction ID: f18a70816afb3587f6e3e9cbaccb565565d08b4571729eb7f436c57ee8df16db
Opcode Fuzzy Hash: 53bfecf90e1c4c6a46862c67c548f520dd6136edc815cec3a9bce3571865afe7
Instruction Fuzzy Hash: 6421D3715083806FE7228B50DC44FA2BFB8EF46714F0984DAE984DF653C325A909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0086A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,2001AEB4,00000000,00000000,00000000,00000000), ref: 0086A9C1

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1ec4c405bd94e6e83637e6fc2e697049ae8d18e2c6c202fe92a41fa2e6537e9c
Instruction ID: 2f7ba934cde8cb38a5c78cfb7dcebfe4f7d823ea1312a5c77dc392e3ad43b4b9
Opcode Fuzzy Hash: 1ec4c405bd94e6e83637e6fc2e697049ae8d18e2c6c202fe92a41fa2e6537e9c
Instruction Fuzzy Hash: A0219271509380AFDB22CF51DC44F96BFB8EF56314F08849AE9849F252C375A549CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0086A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0086A67D

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dfa069081cc4b327579e04258a19fe800f8ab88346f6d8f17d9bb7e462f9a989
Instruction ID: e14728fe45275e533537901080be8703044e241691ba1713bb34c0f8dc7c7e4e
Opcode Fuzzy Hash: dfa069081cc4b327579e04258a19fe800f8ab88346f6d8f17d9bb7e462f9a989
Instruction Fuzzy Hash: 81219C71600200AFEB21CF65CD84F66FBE8FF18314F088869E94ADB651D375E808CA72

Uniqueness

Uniqueness Score: -1.00%

Function 0086A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,2001AEB4,00000000,00000000,00000000,00000000), ref: 0086A815

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: e10e413076371595a5d5666fe89f6eecfa53a99ae361269954cf7825668e0612
Instruction ID: 40fe6fff6f658ae53aa0ce60132d2f76a531e66978f9a9cdb65ae5630e1fbf40
Opcode Fuzzy Hash: e10e413076371595a5d5666fe89f6eecfa53a99ae361269954cf7825668e0612
Instruction Fuzzy Hash: C721D5B55093806FE7128B11DC44BE2BFB8EF57714F0980DAE984CB293D368A909D772

Uniqueness

Uniqueness Score: -1.00%

Function 0086AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0086AA8B

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: ef0daf30c5aec4673987c766be450f242e9406ce2dedd009223daf404b56d192
Instruction ID: 66ef5365eb514ea1680e1e36fe90bf5bdb4667b5a17c8e6f5258a2517fea754a
Opcode Fuzzy Hash: ef0daf30c5aec4673987c766be450f242e9406ce2dedd009223daf404b56d192
Instruction Fuzzy Hash: B121B0715083C05FEB12CB69DC95B92BFE8EF06314F0D84EAE984DB253D224D909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0086A6D4 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0086A748

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: fb53b1565b6ef8d1b1947c47152c2bfe0445b32fa69ecdb4b0bed7eb66335698
Instruction ID: 9197851efcfc4b7f941b0d494547c8bdd27cf7da7bb0bcdcd03993fbf7d050c8
Opcode Fuzzy Hash: fb53b1565b6ef8d1b1947c47152c2bfe0445b32fa69ecdb4b0bed7eb66335698
Instruction Fuzzy Hash: 042104B59093C05FD7128B25DC95652BFB8EF07320F0984EADD808F2A3D2349909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0086A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,2001AEB4,00000000,00000000,00000000,00000000), ref: 0086A40C

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b7279b8d8d783fa65f31e723385da36f5f747b6e6ccca810902706dbb5d79200
Instruction ID: b33e714524c5e7becbd2dde7a8bd5af3fe945ee683e2d9b08255be8136090d6a
Opcode Fuzzy Hash: b7279b8d8d783fa65f31e723385da36f5f747b6e6ccca810902706dbb5d79200
Instruction Fuzzy Hash: 6E219A75600604AEE720CF15CC84FA6B7E8FF18714F08846AE945DB752D764E908CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0086A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,2001AEB4,00000000,00000000,00000000,00000000), ref: 0086A9C1

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c2c474c0d2a9ada8030ccf33940e176afc2aa28ae587166dfb36506a59f7af16
Instruction ID: 8da14bc7dcdae3e6647f1f907511c14d2f0f10c3369f8723e84d0bbdc136e179
Opcode Fuzzy Hash: c2c474c0d2a9ada8030ccf33940e176afc2aa28ae587166dfb36506a59f7af16
Instruction Fuzzy Hash: A311B271500204AFEB21CF55DC84BA6FBE8EF18728F14846AE9459A651C375E548CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 0086A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,2001AEB4,00000000,00000000,00000000,00000000), ref: 0086A8DE

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: b75862ea86197e79aba30aebad27dbd997d5d8dcd565589dacef1922cea8c412
Instruction ID: 0d619fbedbe3518f74f7d63c2711044213926f2dc11de0ea6adee927d882e524
Opcode Fuzzy Hash: b75862ea86197e79aba30aebad27dbd997d5d8dcd565589dacef1922cea8c412
Instruction Fuzzy Hash: DF11C471500204AFEB21CF55DC84BA6FBE8EF58724F14846AE949DB641C375E5088BB2

Uniqueness

Uniqueness Score: -1.00%

Function 0086A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0086A30C

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 81d058f95b7f9e457ae9162861375e199a1dd76ad1e74412ba31770eb2115536
Instruction ID: 2d708c125e41c0d8635a2b127c3015cc5057e08636c42d4ed8f21afc1099087c
Opcode Fuzzy Hash: 81d058f95b7f9e457ae9162861375e199a1dd76ad1e74412ba31770eb2115536
Instruction Fuzzy Hash: F111A3754093C09FD7228B25DC94A52BFB4EF17224F0A80DBDD848F263D275A809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0086AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0086AFE4

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 568985b663b2a72a589367704494ff99b9b38eb349c0f5ea9bea2aa01151ad92
Instruction ID: 37349915f6296bb5897de7f467a0106f62895eacbb349a83ca35aa5b056f5676
Opcode Fuzzy Hash: 568985b663b2a72a589367704494ff99b9b38eb349c0f5ea9bea2aa01151ad92
Instruction Fuzzy Hash: 2411AC715097C09FDB128B65DC85A52FFF4EF06220F0984DAED85CB263D278A858DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0086B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0086B208

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 8dcef97a7b5c8fe1c6153861eed5bd2fbafe057ccd2067395ffedf69f91e44e4
Instruction ID: b23e6c0bccc29d92e611d79222783d5e8b0ce54dbebad0bc0c3fd44120db6328
Opcode Fuzzy Hash: 8dcef97a7b5c8fe1c6153861eed5bd2fbafe057ccd2067395ffedf69f91e44e4
Instruction Fuzzy Hash: F011AC715093809FDB128F15DC98B56FFB4EF46224F0884EAED848F252D279A948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0086AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0086AA8B

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 3e0529b2f6fdb2880f8235cbd4d969f99f3700dbfb07c7e7998b9157b5b3bd85
Instruction ID: fcaea1ac0c13a5bc11bfd0ab90a2f621c4602343f1876405fa177c413f1ea78a
Opcode Fuzzy Hash: 3e0529b2f6fdb2880f8235cbd4d969f99f3700dbfb07c7e7998b9157b5b3bd85
Instruction Fuzzy Hash: 0F11A1716002409FEB14CF59D984B66FBE8EF04321F08C4AADD09DB646E234E904CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0086A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,2001AEB4,00000000,00000000,00000000,00000000), ref: 0086A815

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 59b771fa82c75a20ae5468883971d6a60faf59e5757817538c49e23689552d3d
Instruction ID: 29f61d3ee9cff3cbb583d98a0f748b1a2f7d1bec447b563f5addffbb71f7f73c
Opcode Fuzzy Hash: 59b771fa82c75a20ae5468883971d6a60faf59e5757817538c49e23689552d3d
Instruction Fuzzy Hash: 9401F975500204AEE720CB05DC85BA6F7E8EF54728F14C0A6ED05DB741D378E9088EB6

Uniqueness

Uniqueness Score: -1.00%

Function 0086ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0086AC36

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: f6315415fff10b621eee576cb84bf0409016111a5e27edb39cf9a78be7577e95
Instruction ID: 6eb3e392e2a572b3f7f439e913c64f7eadb74cd9246093b89c16ef74c1f174c9
Opcode Fuzzy Hash: f6315415fff10b621eee576cb84bf0409016111a5e27edb39cf9a78be7577e95
Instruction Fuzzy Hash: F0017171600200ABD310DF16DC85B76FBE8FB88A20F14855AED489BB45D735F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0086A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0086A1C2

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 89b2981e9bcf4ff6f385055cf8d792ef5f6c773dbbee34aa2b01351bfbf16328
Instruction ID: b10f1aed61324ae2beb0790638a509630de162889b1cbfa36ddd0bc5f90475b1
Opcode Fuzzy Hash: 89b2981e9bcf4ff6f385055cf8d792ef5f6c773dbbee34aa2b01351bfbf16328
Instruction Fuzzy Hash: 61017171600200ABD310DF16DC85B76FBE8FB88A20F14855AED089BB45D735F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0086A716 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0086A748

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2225709025974b6e0bb8a345dc8daa5122a7f642e839fe5ce6d8322d4d0a08d7
Instruction ID: 60e2f8a97fd5e9631b97fb088a0a45c710875713d5a45264b0f5cc0085b0e2d9
Opcode Fuzzy Hash: 2225709025974b6e0bb8a345dc8daa5122a7f642e839fe5ce6d8322d4d0a08d7
Instruction Fuzzy Hash: 2901DF71A002408FEB108F19D984766FBE4EF04324F08C4BADD49DF646D279E948CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 0086AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0086AFE4

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 3d0dbe3dc75610ee5fd8077ccc62469083825e53748b24b6268a4db5e515c8f8
Instruction ID: 615983611f338c4dae64735f59293598e13be926d04148873347a306e1422b06
Opcode Fuzzy Hash: 3d0dbe3dc75610ee5fd8077ccc62469083825e53748b24b6268a4db5e515c8f8
Instruction Fuzzy Hash: EC01D1756006449FDB208F19D884762FBE4EF05328F08C0AADD058B752D779E848DEA3

Uniqueness

Uniqueness Score: -1.00%

Function 0086A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0086A30C

Memory Dump Source

Source File: 00000000.00000002.4079933686.000000000086A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3401010658bc4499bc501fe0ab38457a0237d5c1f3ebeb55c9e8788405d70e41
Instruction ID: e64a202c424278cbdfb2874532969747347e66e6c5e56ea038894c56c145e935
Opcode Fuzzy Hash: 3401010658bc4499bc501fe0ab38457a0237d5c1f3ebeb55c9e8788405d70e41
Instruction Fuzzy Hash: F8F0AF359042449FDB208F06DA85762FBE0EF05724F08C0AADD099F756D379E848CEA3

Uniqueness

Uniqueness Score: -1.00%

Function 04A302C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4082037436.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a30000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5122998e0b8df77a8e64573f3e17a3999bdb9fbd8c04dfbb2201244a094c3c7d
Instruction ID: 8a59256e9ff2a4343aacafdb7cc23a15e4ed9adbd7b9c13453747958b1c9ff68
Opcode Fuzzy Hash: 5122998e0b8df77a8e64573f3e17a3999bdb9fbd8c04dfbb2201244a094c3c7d
Instruction Fuzzy Hash: 59B14E38705A10CFC718EB74E958A5A7BF6FF98341B1084A8F9069BB6CDB349D41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04A30799 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4082037436.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a30000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4abd17e43d5f8e8c494de2d49a7f7cecf9f86b2e8f9324fc5243c6016ca984bd
Instruction ID: d9a890da72c86af23cb61ea4f6b1a77a5b5c9f931a42ae8976dbbaedae076b69
Opcode Fuzzy Hash: 4abd17e43d5f8e8c494de2d49a7f7cecf9f86b2e8f9324fc5243c6016ca984bd
Instruction Fuzzy Hash: E2A17034B046048BDB14AB78D85577E77B3BB84309F148469E90A97798EF78EC42CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04A30C99 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4082037436.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a30000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7062ad54a85f1fc721f413cda539e2af361b964c9ee4e2b18fb382c0daa5d6cb
Instruction ID: 55e9ed1a07667c2d7902f59764ac9a1cb373c996b52f23827464cfc9501b57ea
Opcode Fuzzy Hash: 7062ad54a85f1fc721f413cda539e2af361b964c9ee4e2b18fb382c0daa5d6cb
Instruction Fuzzy Hash: 29213730B046548FCB16EB3A85013AE7BD6AFC6248B44447CE186CB385EF39ED02C796

Uniqueness

Uniqueness Score: -1.00%

Function 04A30CA8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4082037436.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a30000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ab9932ddb12a3da598d06f326fa347b740251812a01613e5bd4bfb568cb05
Instruction ID: ec802e263689df137a1d1e6df491bed0b2231c62f364ae5ed0dba5580f392153
Opcode Fuzzy Hash: 809ab9932ddb12a3da598d06f326fa347b740251812a01613e5bd4bfb568cb05
Instruction Fuzzy Hash: 7B212930B04A048BCB14EB3A85417AEB7D6AFC5248B44883CD186DB785EF79F9068796

Uniqueness

Uniqueness Score: -1.00%

Function 04A30BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4082037436.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a30000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b758c94a2d5137fae0361001217cfa130be1433dc6d00a63f068f97fe98898
Instruction ID: 62875b84df19006460c4b936528e3899a339b4bbf88af79329685a9b50c9d4d2
Opcode Fuzzy Hash: 04b758c94a2d5137fae0361001217cfa130be1433dc6d00a63f068f97fe98898
Instruction Fuzzy Hash: 63119136A10118AFCB05EBB8D85599F7BF6BF88214B154579E205E7234EB35A806C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 003F0808 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4079786007.00000000003F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8869c7f12b41a75aa2558b6760aa538e0642bdad80673857167c9838cdec2a19
Instruction ID: fbe2c8e91994cc11a42648e1fd8c4fba4da6b869d13157624d688ce18b4a911d
Opcode Fuzzy Hash: 8869c7f12b41a75aa2558b6760aa538e0642bdad80673857167c9838cdec2a19
Instruction Fuzzy Hash: 7001B1B24093506FC7018B55AC44856BFF8EF92524B08C8AAEC488B602D226A908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 003F05DF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4079786007.00000000003F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1ab9359bb3fd7a9594f048d7c9740386f343a28603c5b4348322f91bef90a58
Instruction ID: 19e8ae597df60227e97facdcc5024dee8f35958260e1ac6dcb9f48a8d267030e
Opcode Fuzzy Hash: d1ab9359bb3fd7a9594f048d7c9740386f343a28603c5b4348322f91bef90a58
Instruction Fuzzy Hash: 4F01677550D7805FD7118F16AC44863FFE8EF8652070984EFE8498B652D229A909CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 003F082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4079786007.00000000003F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a47ba3addd255ddd7336fb97fe41a37b21c161b62367a2054139891ef0fed1
Instruction ID: d57e785e7d857e42489d7cb09525e9f3ec3798796289c2e41c9e3c126d7770be
Opcode Fuzzy Hash: 08a47ba3addd255ddd7336fb97fe41a37b21c161b62367a2054139891ef0fed1
Instruction Fuzzy Hash: 60F082B2805604AB9300DF45ED45856F7ECEF94525F04C56AEC088B701E276B9198AF2

Uniqueness

Uniqueness Score: -1.00%

Function 003F0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4079786007.00000000003F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 638a1da5da438db0415ecd1c643b883d7274efd747f86cc685c0be88be32ecc5
Instruction ID: 561a417ddf7ce14d10617ac29b3dfff913e3ad7e51d9201f04b4c6aa4bd18b0a
Opcode Fuzzy Hash: 638a1da5da438db0415ecd1c643b883d7274efd747f86cc685c0be88be32ecc5
Instruction Fuzzy Hash: 81E092B6A006004B9650CF0BEC81452F7D8EB84630708C47FDC0D8B701D239B908CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 04A30C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4082037436.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a30000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd0bd7813da943dac6e3e0a4967f9be7bcf0f66a389233df2ffa09da0282b06
Instruction ID: 5bf5f761fae40b394f107bbe801def1766d8df86bdcc7db0d9d31f947006ed78
Opcode Fuzzy Hash: 5fd0bd7813da943dac6e3e0a4967f9be7bcf0f66a389233df2ffa09da0282b06
Instruction Fuzzy Hash: 43E0DF32F182242FCB04DEBC84402AE7FE6EF86164B9144B9C008DB380EE39CD0287C1

Uniqueness

Uniqueness Score: -1.00%

Function 04A30C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4082037436.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a30000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283df586320a48274a5932f87bc77472fa88a0be12ea0f974fd6beafa0d6393b
Instruction ID: 8a6c81e194df75f60636c08b0528f9e7e806193af77b749594c106a561ae3ffb
Opcode Fuzzy Hash: 283df586320a48274a5932f87bc77472fa88a0be12ea0f974fd6beafa0d6393b
Instruction Fuzzy Hash: F1D01232F042282B8B48DEF9585159F7AEA9B85164B55447DD009D7340EF399D018781

Uniqueness

Uniqueness Score: -1.00%

Function 04A30DD1 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4082037436.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a30000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab02a6ae9808aa31c6cba7de6c7b97b8e91c12ba683cdedf349a367b535f450
Instruction ID: 90589f6d22cbaeaacde1be60fe1663f06500d8cf109833af4c0ddfd3ed523997
Opcode Fuzzy Hash: 4ab02a6ae9808aa31c6cba7de6c7b97b8e91c12ba683cdedf349a367b535f450
Instruction Fuzzy Hash: 6EE0C23420C3408FCB039B3494155A03BA16F82204F4A84E5D4488F366DA68DC41D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 04A30E08 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4082037436.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a30000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ffd8cfbbb3059d12778e69f33225e7689bb181593a3728e1dee66cc1cf6204b
Instruction ID: 66985d93f238f725f81ee8d8ac7ff667de1a9f174bbd6ef5e06b8fb9c2fece7d
Opcode Fuzzy Hash: 1ffd8cfbbb3059d12778e69f33225e7689bb181593a3728e1dee66cc1cf6204b
Instruction Fuzzy Hash: 9DE0C23120D3808FD703AB3498159587F611F82304F59C1D6D0448F2A7D738DC01C780

Uniqueness

Uniqueness Score: -1.00%

Function 008623F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4079914339.0000000000862000.00000040.00000800.00020000.00000000.sdmp, Offset: 00862000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_862000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71517f4052ff838bd333a91307556c682240e25f361e4af377b968527f52a55f
Instruction ID: e06810244450011470b84ca15029ee8f3a8168c254904a60419e9f8519650e76
Opcode Fuzzy Hash: 71517f4052ff838bd333a91307556c682240e25f361e4af377b968527f52a55f
Instruction Fuzzy Hash: 33D05E79205AD14FD326DA1CC6A8BA537D4BF51714F4B44F9A800CBB63CB68D985D600

Uniqueness

Uniqueness Score: -1.00%

Function 008623BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4079914339.0000000000862000.00000040.00000800.00020000.00000000.sdmp, Offset: 00862000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_862000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08d232df44b766653ecce08409cbd2d7823f8273835fcffe725fc11c2bbe77d
Instruction ID: 9f3527944cd591ebd68897fd8f8b8325a17244c57fc325772467bb71bbd6b142
Opcode Fuzzy Hash: d08d232df44b766653ecce08409cbd2d7823f8273835fcffe725fc11c2bbe77d
Instruction Fuzzy Hash: CFD05E342006814FC725DB0CD3D4F5937D4BB40714F1A48E9AC10CB772C7A8D8C1DA00

Uniqueness

Uniqueness Score: -1.00%

Function 04A30DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4082037436.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a30000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c33c70487d7eb475bc8988d9cd8b6c6b51626dbf4410fd48c9e755f34dcd57
Instruction ID: 81a646e0f9d65b139d8a7330254d4ea3e852f5de06727a49eed4a43e148c5f65
Opcode Fuzzy Hash: e1c33c70487d7eb475bc8988d9cd8b6c6b51626dbf4410fd48c9e755f34dcd57
Instruction Fuzzy Hash: 9CC080303043048FD704E778D919E2573D657D0309F99C1A4A4080B359DB78FC40C6C4

Uniqueness

Uniqueness Score: -1.00%

Function 04A30E18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4082037436.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a30000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c4da6e0c1d509d6e9fce3d6c89c1ab1899adac90643a05946029f507fcb279
Instruction ID: 8b784208a033cdf85653aaa11ea02e267d5e6a49a24a724d0fbd65c16089374b
Opcode Fuzzy Hash: b6c4da6e0c1d509d6e9fce3d6c89c1ab1899adac90643a05946029f507fcb279
Instruction Fuzzy Hash: 62C012303042048BC704A778D919A2977955BD4309F98C1A464081B259DB78F841C684

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MDE_File_Sample_445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5.zip

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: unarchiver.exePID: 6896, Parent PID: 2580

General

Chronological Activities

Analysis Process: 7za.exePID: 4908, Parent PID: 6896

General

Chronological Activities

Analysis Process: conhost.exePID: 1804, Parent PID: 4908

General

Chronological Activities

Disassembly

Analysis Process: unarchiver.exePID: 6896, Parent PID: 2580COMMON

Execution Graph

Graph

Callgraph

Executed Functions

Function 0086B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Function 0086B246 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Windows Analysis Report
MDE_File_Sample_445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5.zip

Function 0086B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 0086AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0086AB76 Relevance: 1.6, APIs: 1, Instructions: 93
pipeCOMMON

Function 0086A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Function 0086A120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Function 0086AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0086B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0086A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Function 0086A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Function 0086A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Function 0086A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 0086A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Function 0086AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 0086A6D4 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 0086A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON