Edit tour

Windows Analysis Report
YGPRDS01_2024-04-26_03_35_12.538 (1).zip

Overview

General Information

Sample name:	YGPRDS01_2024-04-26_03_35_12.538 (1).zip
Analysis ID:	1431968
MD5:	d2c77e0c22e6427a360164d1352d785d
SHA1:	6c09d134fda4652bc05a4e55c922419f54d1f6a3
SHA256:	0f9e90d955b334048b55394cbb71987d9aa079bee5de51d85cd22d7b27f1a450
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

System is w10x64

unarchiver.exe (PID: 6688 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\YGPRDS01_2024-04-26_03_35_12.538 (1).zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 6736 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\ai20ytml.mne" "C:\Users\user\Desktop\YGPRDS01_2024-04-26_03_35_12.538 (1).zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: classification engine

Classification label: clean2.winZIP@4/1@0/0

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\YGPRDS01_2024-04-26_03_35_12.538 (1).zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\ai20ytml.mne" "C:\Users\user\Desktop\YGPRDS01_2024-04-26_03_35_12.538 (1).zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\ai20ytml.mne" "C:\Users\user\Desktop\YGPRDS01_2024-04-26_03_35_12.538 (1).zip"	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 7F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 2820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: A50000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 656			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 9312			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6928	Thread sleep count: 656 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6928	Thread sleep time: -328000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6928	Thread sleep count: 9312 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6928	Thread sleep time: -4656000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_0079B1D6 GetSystemInfo,

0_2_0079B1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\ai20ytml.mne" "C:\Users\user\Desktop\YGPRDS01_2024-04-26_03_35_12.538 (1).zip"

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	2 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431968
Start date and time:	2024-04-26 05:37:00 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	YGPRDS01_2024-04-26_03_35_12.538 (1).zip
Detection:	CLEAN
Classification:	clean2.winZIP@4/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 45 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .zip Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:38:23	API Interceptor	4291465x Sleep call for process: unarchiver.exe modified

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3785
Entropy (8bit):	5.077183552079931
Encrypted:	false
SSDEEP:	48:RuVG2Gb2G2GpIGpG2Gp8G2GB9G4G2Gb0GbGeGB9G4GrlG2G2GmH2G2GzG2GGG2Gh:Xe2KdCSBZT
MD5:	9AD9B77C728BF978A5DCA9524C0DF1E9
SHA1:	4ED56D2846E5CB8EA0D53980BB691923BA42AB70
SHA-256:	E4901835E5CB6E21FB7E4FFA8FA4D9F565E04454F7EFA2F06853523C3A676047
SHA-512:	BE3102C251C79A931D487E2EC997B8255E49C4497BD785E6105F812FB5CC0E57144DFB819EA43901D24A4A38BF2BDC0EE0728033CA5A649E78933F9E652C4FA8
Malicious:	false
Reputation:	low
Preview:	04/26/2024 5:37 AM: Unpack: C:\Users\user\Desktop\YGPRDS01_2024-04-26_03_35_12.538 (1).zip..04/26/2024 5:37 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\ai20ytml.mne..04/26/2024 5:37 AM: Received from standard out: ..04/26/2024 5:37 AM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..04/26/2024 5:37 AM: Received from standard out: ..04/26/2024 5:37 AM: Received from standard out: Scanning the drive for archives:..04/26/2024 5:37 AM: Received from standard out: 1 file, 475015 bytes (464 KiB)..04/26/2024 5:37 AM: Received from standard out: ..04/26/2024 5:37 AM: Received from standard out: Extracting archive: C:\Users\user\Desktop\YGPRDS01_2024-04-26_03_35_12.538 (1).zip..04/26/2024 5:37 AM: Received from standard out: ..04/26/2024 5:37 AM: Received from standard out: WARNINGS:..04/26/2024 5:37 AM: Received from standard out: Headers Error..04/26/2024 5:37 AM: Received from standard out: ..04/26/2024 5:37 AM: Received from standard ou

Static File Info

General

File type:	Zip archive data, at least v4.5 to extract, compression method=deflate
Entropy (8bit):	7.999582061286944
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	YGPRDS01_2024-04-26_03_35_12.538 (1).zip
File size:	475'015 bytes
MD5:	d2c77e0c22e6427a360164d1352d785d
SHA1:	6c09d134fda4652bc05a4e55c922419f54d1f6a3
SHA256:	0f9e90d955b334048b55394cbb71987d9aa079bee5de51d85cd22d7b27f1a450
SHA512:	86649aec56cd1b9140077f6182be31e108158a5c0e17d71888055f94e9cbb7f0f8a5300ea4f152ad21906b333623dc6a3c3155632b5cc7aba3a6f77ab5ad5f03
SSDEEP:	12288:zXzixbFZ07LgC+IJTHRPzqA2FgztGg+0t:ZLJ+sThzquMght
TLSH:	7FA4234F69841D8E430C5219FC4AC069DD58C6BA5AAC70E35F8AD307D51A6ED2F0FB2E
File Content Preview:	PK..-.........ZZ..7=..."..D...Device/HarddiskVolume3/Program Files/AutoHotkey/Compiler/Ahk2Exe.exe.......................w!....\B&"R....&.....(=.....z< k........n)qBs.1..#fp.nb...1.E.R...pJ.f....N....+.].MZ......8K..v.m..L2.V.H..7....9l".Z.m..@..i.ty....2

File Icon


Icon Hash:	90cececece8e8eb0

Target ID:	0
Start time:	05:37:47
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\YGPRDS01_2024-04-26_03_35_12.538 (1).zip"
Imagebase:	0x190000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	05:37:47
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\ai20ytml.mne" "C:\Users\user\Desktop\YGPRDS01_2024-04-26_03_35_12.538 (1).zip"
Imagebase:	0xa70000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:37:47
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	22.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.5%
Total number of Nodes:	73
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0079B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0079B208

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 96b4ef6fd8592205eb460df10eec2928b7f7e217c74983c66669c424365419bc
Instruction ID: 10d6988d716ae7448dff74fa9bd5f8969e7e7a338ac30fe22d8b1950aff51783
Opcode Fuzzy Hash: 96b4ef6fd8592205eb460df10eec2928b7f7e217c74983c66669c424365419bc
Instruction Fuzzy Hash: F7018B719042409FEB10CF15E98476AFBE4EF15720F08C4AADD489F656D379A508CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D10799 Relevance: 2.8, Strings: 2, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@k, xrefs: 00D10822
:@k, xrefs: 00D108B5

Memory Dump Source

Source File: 00000000.00000002.4114480051.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_unarchiver.jbxd

Similarity

API ID:
String ID: :@k$:@k
API String ID: 0-4032727010
Opcode ID: a0de32e0e55fc63c15873cb7a060028ac03eeb4aafe94b9867d78579c6482372
Instruction ID: 96292143cc944f38f0d6809d70b0c0336195e64326ecb05bcc3dd9a5ea5375bd
Opcode Fuzzy Hash: a0de32e0e55fc63c15873cb7a060028ac03eeb4aafe94b9867d78579c6482372
Instruction Fuzzy Hash: 66A1BF30B006019BDB18AB74D955BBEB7B3AFE4308F248429D90697794DF78DC86CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0079B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0079B2F3

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0f6c5942daa990d72ab52b26841607a1747828574ce7e01adb468c4ab71dae55
Instruction ID: ff718132d5beb565b1971abcd3892a2535c6a35b47e9d15509e01e2e40a111b9
Opcode Fuzzy Hash: 0f6c5942daa990d72ab52b26841607a1747828574ce7e01adb468c4ab71dae55
Instruction Fuzzy Hash: 743194715043446FEB228B61DC45FA6BFFCEF45310F08859AE985CB552D334A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0079AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0079ADA7

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b825424336d47d4e15b22c0d860ae2221f5ec367773aab11e947585afb7d9f94
Instruction ID: 078d7558aa38bf37c51c563b728c5ebaccc230f7f6118cdb3586a51977c707d4
Opcode Fuzzy Hash: b825424336d47d4e15b22c0d860ae2221f5ec367773aab11e947585afb7d9f94
Instruction Fuzzy Hash: 1631C171505344AFEB228B61DC44FA7BFECEF05214F08889AF985CB652D234A849CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0079AB76 Relevance: 1.6, APIs: 1, Instructions: 95
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0079AC36

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 68d37f484f975abd9c5e122128e5111d62e088615347c8ab3780330f68cec3b1
Instruction ID: 1c42461a729366f62b93ff4ed5b24effc1a181510a0418c4809c6c1d98df6517
Opcode Fuzzy Hash: 68d37f484f975abd9c5e122128e5111d62e088615347c8ab3780330f68cec3b1
Instruction Fuzzy Hash: 0831807250E3C06FD3038B318C65A51BFB4AF47610F1984DBD8C4DF6A3D2296919C762

Uniqueness

Uniqueness Score: -1.00%

Function 0079A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0079A67D

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 450b9a3e0431b047b59b959c9a1e1f5dc52bc83a87e482d12c001e79e0cc7820
Instruction ID: 2599125e59347893b8cd8765de9864371d77dc7045349ee01df7c9aecbfac041
Opcode Fuzzy Hash: 450b9a3e0431b047b59b959c9a1e1f5dc52bc83a87e482d12c001e79e0cc7820
Instruction Fuzzy Hash: CE317E71505340AFEB21CF65DD44F62BBF8EF49220F08889AE9858B652D375E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0079A120 Relevance: 1.6, APIs: 1, Instructions: 83
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0079A1C2

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 76d6a268e5770b2d6708eaaef5cf5596b0e419b2046ec6f4ceb1f3584f073d6f
Instruction ID: 50817f31e3325f247963cf4a17c0a6cd92347b6a34228b9df958b9e83bbfba36
Opcode Fuzzy Hash: 76d6a268e5770b2d6708eaaef5cf5596b0e419b2046ec6f4ceb1f3584f073d6f
Instruction Fuzzy Hash: D821057150D3C06FD3028B218C51BA6BFB4EF87620F0985CBD8C4CF693D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0079A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,5EB935B0,00000000,00000000,00000000,00000000), ref: 0079A40C

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 666e0c11c60ab50155def4a715b3c501734c1dda114dcbd9da65d97d154cc330
Instruction ID: 98fc05718796704bb610b9921ec87d32b55c31bba55e29c1d02e55f5f91ddb14
Opcode Fuzzy Hash: 666e0c11c60ab50155def4a715b3c501734c1dda114dcbd9da65d97d154cc330
Instruction Fuzzy Hash: 2B218D71505340AFDB21CF15DC84FA2BBF8EF05710F08849AE945CB252D368E948CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0079B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0079B2F3

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c43fe5ec99a9992be9830be72b2a2e3c0b4d64722b236bf44abddda0fe5bcb24
Instruction ID: 27139cdb5a8c796b0aa9c440198c3cc31b1811cc6a3dab115f0b1b59695007ec
Opcode Fuzzy Hash: c43fe5ec99a9992be9830be72b2a2e3c0b4d64722b236bf44abddda0fe5bcb24
Instruction Fuzzy Hash: B4219272500204AFEB21CF61DD45FABBBECEF04314F04896AE945DBA51D374E5488B61

Uniqueness

Uniqueness Score: -1.00%

Function 0079AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0079ADA7

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 07f948ab679112d9245538463e824eafb053f06b2a1ccaf1a85bdd72a7968040
Instruction ID: 2fb144ce9171633bc3fab0f4ec18c096a69ad97f9f68dbdd98e5cb7ee923f5d8
Opcode Fuzzy Hash: 07f948ab679112d9245538463e824eafb053f06b2a1ccaf1a85bdd72a7968040
Instruction Fuzzy Hash: F021C472500204AFEB218F51DD45FABFBECEF04314F04886AE945DBA55D734E5488BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0079A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,5EB935B0,00000000,00000000,00000000,00000000), ref: 0079A8DE

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 457778efe7c4c86521d2ed049d7df3a7281eb4b5e03fd19b7b8b9c3b8f8d72fb
Instruction ID: 2c2a74479942f801ff850ccab2cc606797266d6e9d96d7aac6301ad054e697e0
Opcode Fuzzy Hash: 457778efe7c4c86521d2ed049d7df3a7281eb4b5e03fd19b7b8b9c3b8f8d72fb
Instruction Fuzzy Hash: 9121A4715093806FEB128B61DC44FA2BFB8EF46724F0984DAE984DB552D278A909C772

Uniqueness

Uniqueness Score: -1.00%

Function 0079A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,5EB935B0,00000000,00000000,00000000,00000000), ref: 0079A9C1

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6b66474845fd360a939b9f38b500752bc426cffaed009f1e25fdfe4cf525fd54
Instruction ID: a8586484b3a308f9bfcaaedfbdeb5f71014e24cfc642e1ae167f1f0347082ec6
Opcode Fuzzy Hash: 6b66474845fd360a939b9f38b500752bc426cffaed009f1e25fdfe4cf525fd54
Instruction Fuzzy Hash: D82183714093806FDB22CF61DC44F96BFB8EF46314F08859AE9849B552D375A548CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0079A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0079A67D

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f850f097168eb1d61ecd0d8d84248a3c9b2cf2604084dbddb55065293f21bc5f
Instruction ID: 6d780ea4d0489f165c75f753241602c56dc50b78578507455ec3a43b745f55e2
Opcode Fuzzy Hash: f850f097168eb1d61ecd0d8d84248a3c9b2cf2604084dbddb55065293f21bc5f
Instruction Fuzzy Hash: 66219071501200AFEB21CF65DD85F66FBE8EF08314F088869E9458B751D379E808CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0079A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,5EB935B0,00000000,00000000,00000000,00000000), ref: 0079A815

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: ade92a46574aefe9e83feb12bc0d2d176db85115eb84897dafaf47ced5017f4a
Instruction ID: ecfbebae6981bc91b551a5d4a98351a787a862b9442532d7b55ad8f6cebf5484
Opcode Fuzzy Hash: ade92a46574aefe9e83feb12bc0d2d176db85115eb84897dafaf47ced5017f4a
Instruction Fuzzy Hash: 7621A8B54093806FE7128B11DC44FA2BFB8EF47714F0880D6E9848B653D268A90DD776

Uniqueness

Uniqueness Score: -1.00%

Function 0079A6D4 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0079A748

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 59ee03c1e2751961562ac878414eacd243f89524fd4349f0f1efdcb981d17f2f
Instruction ID: 5f7ed9096c761526153e2aef8fe9df9a51bcb9c87ccde7f656907f7e65b86cb1
Opcode Fuzzy Hash: 59ee03c1e2751961562ac878414eacd243f89524fd4349f0f1efdcb981d17f2f
Instruction Fuzzy Hash: CE21927550A7C05FDB138B25DC95752BFB8EF07220F0984DADD858F6A3D2689908C762

Uniqueness

Uniqueness Score: -1.00%

Function 0079AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0079AA8B

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 2c9f78bd705db73a1e5850817483624ecf70d8df881607bc3830554762d3292d
Instruction ID: 6fcd94810d4a0d85f77aa3ec7cde947d165b1ca8b02964670694b9ce9aeea951
Opcode Fuzzy Hash: 2c9f78bd705db73a1e5850817483624ecf70d8df881607bc3830554762d3292d
Instruction Fuzzy Hash: 4B2171715093805FDB12CB25DC55B92BFE8EF06314F09C4EAE984CB653D225D909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0079A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,5EB935B0,00000000,00000000,00000000,00000000), ref: 0079A40C

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8e7a5117e8616996b548a01c747f20f393792a2f8f4a0ff946c98a1d04da9860
Instruction ID: 2edd7128561162a2688ba3c4bf29d183ac0a6e8218ad1302de86ed0ab089147f
Opcode Fuzzy Hash: 8e7a5117e8616996b548a01c747f20f393792a2f8f4a0ff946c98a1d04da9860
Instruction Fuzzy Hash: AC218C75601204AFEB20CF15DC88FA6B7ECEF14710F18846AE945CB661D778E949CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0079A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,5EB935B0,00000000,00000000,00000000,00000000), ref: 0079A9C1

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: ec2ae0da8dd7f62c6309b14bb0423f457815a9fefe471aa1fb674cb2a50033b4
Instruction ID: 9bc01d22f3dec69468924ffe72e27d6551908e4f8e1b67c92377cd89c4e37105
Opcode Fuzzy Hash: ec2ae0da8dd7f62c6309b14bb0423f457815a9fefe471aa1fb674cb2a50033b4
Instruction Fuzzy Hash: 2711C172500200AFEB21CF51DD44FA6FBE8FF14724F18846AE9459B655D378A548CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0079A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,5EB935B0,00000000,00000000,00000000,00000000), ref: 0079A8DE

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: f52fc3b39b54c5edcea232fe053a240b2c987b123b621c490084c32ff8914d21
Instruction ID: 9a56f1702da82c53493aed75936228113d422cb072e8b40fa9606efed3c50675
Opcode Fuzzy Hash: f52fc3b39b54c5edcea232fe053a240b2c987b123b621c490084c32ff8914d21
Instruction Fuzzy Hash: E211E371500200AFEB21CF55DC44FA6FBE8EF54724F18845AED459B645D378A5488BB2

Uniqueness

Uniqueness Score: -1.00%

Function 0079A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0079A30C

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 115e34085095b51490a437260f131f0fedd90db494f60195fad107e38be7d481
Instruction ID: c80d8e39a63d3563c04a1ef03e9dc6f66a5fba372a74255187e7e3471b83c571
Opcode Fuzzy Hash: 115e34085095b51490a437260f131f0fedd90db494f60195fad107e38be7d481
Instruction Fuzzy Hash: E51194754093C06FDB128B25DC54A52BFB4EF47220F0980DBDD848F163D279A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0079A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,5EB935B0,00000000,00000000,00000000,00000000), ref: 0079A815

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 5d094095dd09cc58b92ca215c3ba693417ac5041df27bd0746db9f84db8147e8
Instruction ID: 829f0e4770545cd39f7df474f54fbcbe703cb289c134410062d94b61333f6f14
Opcode Fuzzy Hash: 5d094095dd09cc58b92ca215c3ba693417ac5041df27bd0746db9f84db8147e8
Instruction Fuzzy Hash: EF01D671504204AFEB61CB11DC44FA6FBE8EF15724F18C056ED059B745D378E94C8AB6

Uniqueness

Uniqueness Score: -1.00%

Function 0079AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0079AA8B

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 4bfaddc934924ed1c422fa5c4a4a0cb0e811666f5960c9725b05b10c794e2424
Instruction ID: a26ab8469fff886a1f7f7ee3fac8c273c8b79991f568ca0bd43804727b036919
Opcode Fuzzy Hash: 4bfaddc934924ed1c422fa5c4a4a0cb0e811666f5960c9725b05b10c794e2424
Instruction Fuzzy Hash: EB116571605240AFEB50CF15E984B56FBE8EF15710F08C4AADD45CB751E778E904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0079B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0079B208

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 01312162f9a12a74481b9fe3458c4fe97524d76ad702a4f9ab28d068eb0d15aa
Instruction ID: 9a3a51d0625f648d93e4a9a899eca00355a18d43f1066cd8c7ce5d91349b2b5f
Opcode Fuzzy Hash: 01312162f9a12a74481b9fe3458c4fe97524d76ad702a4f9ab28d068eb0d15aa
Instruction Fuzzy Hash: 0A1170715093809FDB12CF25ED44B56BFB4EF46620F0884EAED849F652D279A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0079AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0079AFE4

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 67af661ef0070971a17635405d290540a55593cfe60ce0250b6851526ab0c1aa
Instruction ID: b9a71226f64e74eb06fb3d44b3b15e00b6473420c6429f0a53f03205a2e9ae92
Opcode Fuzzy Hash: 67af661ef0070971a17635405d290540a55593cfe60ce0250b6851526ab0c1aa
Instruction Fuzzy Hash: 1611A0715093C09FDB12CB25DC45B52BFF4EF46220F0984DAED858B662D378A808DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0079A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0079A1C2

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 49ea4785b5eb7de986b51f3c2758b21910c0f88553abc96d2a20e65cf586844f
Instruction ID: fc8d266e849721bc643d1dfc41bc622943de7e210fb29692bc9d14e6d4c1a057
Opcode Fuzzy Hash: 49ea4785b5eb7de986b51f3c2758b21910c0f88553abc96d2a20e65cf586844f
Instruction Fuzzy Hash: 63017171A00200ABD310DF16DD85B66FBE8FB88A20F14856AED089BB41D735B955CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0079ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0079AC36

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 866aed58a159a055981ee7c6a226ea32c55fe78ded178472e6b413445ab0fb58
Instruction ID: 02e351886e782bd12e0f292546b37aba53e59c3829beee204ac39038a3dfceb4
Opcode Fuzzy Hash: 866aed58a159a055981ee7c6a226ea32c55fe78ded178472e6b413445ab0fb58
Instruction Fuzzy Hash: AE01B171A00200ABD310DF16CD85B66FBE8FB88A20F14812AEC089BB41D735B919CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0079A716 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0079A748

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b9f7e32d491dc41813d4e2202cc63be2cf36353a082acda670abfcd8c4ebdb72
Instruction ID: 09a1582d54be3394793c281f7dd18496d793c1b852a58d2952e18b853c9b7d23
Opcode Fuzzy Hash: b9f7e32d491dc41813d4e2202cc63be2cf36353a082acda670abfcd8c4ebdb72
Instruction Fuzzy Hash: EC01F7719012409FDB50CF55E885766FBE4DF14320F18C4AADC05CF751D378E908CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0079AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0079AFE4

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: bca540b73dfe379ea102b6829610e00a7206f50da4f45bafd468487e561a93ba
Instruction ID: 6f0ab8dd3572719d7d95e16e9e63bbdb84d189551cca1be0f1a8b191ddec68b1
Opcode Fuzzy Hash: bca540b73dfe379ea102b6829610e00a7206f50da4f45bafd468487e561a93ba
Instruction Fuzzy Hash: 7301F4755042449FDB10CF19E885762FBE4EF15720F08C0AADD058B752E379E848DEA2

Uniqueness

Uniqueness Score: -1.00%

Function 0079A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0079A30C

Memory Dump Source

Source File: 00000000.00000002.4114138343.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2a91d9f55a82c9f0f6e6927225a637a2364cb5c23c975201402ad7f1c1eefe95
Instruction ID: 622fe4ac750be0a183938da54a08ff733bb6ad258056d1a2a0f7fbdb5ab07fa4
Opcode Fuzzy Hash: 2a91d9f55a82c9f0f6e6927225a637a2364cb5c23c975201402ad7f1c1eefe95
Instruction Fuzzy Hash: EEF0AF35905244AFDB20CF06E884762FBE4EF15720F08C0AADD094B752D379E808CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D10C99 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

[MV, xrefs: 00D10D43, 00D10D48

Memory Dump Source

Source File: 00000000.00000002.4114480051.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_unarchiver.jbxd

Similarity

API ID:
String ID: [MV
API String ID: 0-2355692974
Opcode ID: 9b7a509f2835fa0361eea7d0d751fcd9ae6c92f36621e0726c2290f07018e88c
Instruction ID: 2431404a83f0e1ac9873dc3dd73356059dda4d118db44bbbdfbafcd0421034c0
Opcode Fuzzy Hash: 9b7a509f2835fa0361eea7d0d751fcd9ae6c92f36621e0726c2290f07018e88c
Instruction Fuzzy Hash: CC210430700655ABCB15EB39A4026AFBADB9BD5308B44843CD085DB341DF7AE98687A6

Uniqueness

Uniqueness Score: -1.00%

Function 00D10CA8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

[MV, xrefs: 00D10D43, 00D10D48

Memory Dump Source

Source File: 00000000.00000002.4114480051.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_unarchiver.jbxd

Similarity

API ID:
String ID: [MV
API String ID: 0-2355692974
Opcode ID: c9c48241d01fe3abf2d6fe4c22626f8be6967f0b3948e2fc0a072a3f0274c151
Instruction ID: f97bfacba7404ab4e0fccc2eeaf7f58d153be9fdafc05881787d52780be12de4
Opcode Fuzzy Hash: c9c48241d01fe3abf2d6fe4c22626f8be6967f0b3948e2fc0a072a3f0274c151
Instruction Fuzzy Hash: C321F3307006159BCB14EB3994426AFBBEBAFD5308B44883CD086DB741DF7AE9468796

Uniqueness

Uniqueness Score: -1.00%

Function 00D102C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4114480051.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb55dcfab3207c468fb813d48cfdcc75bca9ac0ae1653f5f6905f41abae44340
Instruction ID: 4be00cf8dff9d9bfd41f9e3ea21bfdf322165db28b025030c86c5e3701d4daf4
Opcode Fuzzy Hash: eb55dcfab3207c468fb813d48cfdcc75bca9ac0ae1653f5f6905f41abae44340
Instruction Fuzzy Hash: A0B16E34701510DFC768FF64E958A9A7BF2FF99300B54C4A4EA06973A8CB749D81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D20808 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4114490988.0000000000D20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc480011733e128b85d5bd53e6629e37ac5aef1c9292e7bea606c322e48b7eb9
Instruction ID: 33d7063d15b6311fc0a3675aa80533d6b5d233a41de41d6cee17e992d6dbd5bc
Opcode Fuzzy Hash: cc480011733e128b85d5bd53e6629e37ac5aef1c9292e7bea606c322e48b7eb9
Instruction Fuzzy Hash: F411D6B25092446FD300DF15AD459A6FBE8DF86525F08C4BBEC48CB701E236B95D8BE2

Uniqueness

Uniqueness Score: -1.00%

Function 00D10BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4114480051.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d505ca24fbd5bbb28ce77371e0e6b7ee05b79bc8fb5543b4165511796124f5a
Instruction ID: 9ab3404dd2c4de35a2f2d799ba722831113cf6a0bd039f58aa85888720407b1e
Opcode Fuzzy Hash: 2d505ca24fbd5bbb28ce77371e0e6b7ee05b79bc8fb5543b4165511796124f5a
Instruction Fuzzy Hash: AA119E32B10118AFCB55ABB8D844DDFBBF6BB88214B058475E605E7334EF31A8498B91

Uniqueness

Uniqueness Score: -1.00%

Function 00D205E0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4114490988.0000000000D20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0194bc89c7854a96672b6cba7d7d212cecb89d997cd28545b1ab7a45ea15207
Instruction ID: 043bbfef5705c4913831c1f415ead91c593d8b6277ac628607c28ea29548997e
Opcode Fuzzy Hash: c0194bc89c7854a96672b6cba7d7d212cecb89d997cd28545b1ab7a45ea15207
Instruction Fuzzy Hash: E101B9B150D3D06FD7038B119C45856BFB8DE5766070984DBE849CB663D239B908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D2082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4114490988.0000000000D20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3337eca4dcf0222664b0826d95aec73cbae5cbf4b25c60f4286a3fff5e820c3
Instruction ID: 73521b5b81af46d97658890cdbd1bab6190c971a7f03d6ae1d2d59c229de594a
Opcode Fuzzy Hash: b3337eca4dcf0222664b0826d95aec73cbae5cbf4b25c60f4286a3fff5e820c3
Instruction Fuzzy Hash: B0F082B2905204ABD200DF05ED458A6F7ECEF84521F04C53AED088B700E376B9194AE7

Uniqueness

Uniqueness Score: -1.00%

Function 00D20606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4114490988.0000000000D20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2a6129a1cf700664c07832537520315633ac0a0743c42c0dec27470b3d6176
Instruction ID: 35aa3aee085c842e7566dab5cfa9d1398eaf43d7ab6505dfc73a387e0ac484eb
Opcode Fuzzy Hash: 7f2a6129a1cf700664c07832537520315633ac0a0743c42c0dec27470b3d6176
Instruction Fuzzy Hash: ECE092B66006004B9750CF0BEC41452F7E8EB88630B08C07FDC0D8B701E239B508CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 00D10C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4114480051.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba65e99547866917a7c10bc8cdafa670ca3fa27d788cf07a54345f605779617b
Instruction ID: 23fe0e3c760bf3adf273b4a7257a2890c8d35ce695cf48cbc860ea5a58dfa58e
Opcode Fuzzy Hash: ba65e99547866917a7c10bc8cdafa670ca3fa27d788cf07a54345f605779617b
Instruction Fuzzy Hash: 09E0DF32F142242FEB08EAB9A4406EF7FE69B82114B80457A9008D7360EE39CD0283C1

Uniqueness

Uniqueness Score: -1.00%

Function 00D10C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4114480051.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 098eb3c8a1a36fcd6118bf8d4b490a4fe257cc4ed6d94e9a5f1f2950836a2246
Instruction ID: 3c25275180895fe2cc64f270208a53f3e6c9ec9aa40f5c7584986eeb820a4c03
Opcode Fuzzy Hash: 098eb3c8a1a36fcd6118bf8d4b490a4fe257cc4ed6d94e9a5f1f2950836a2246
Instruction Fuzzy Hash: CAD05B32F002183B9B44EBF998415DF7BEAABC4154B55447D9009E7750EF35DD0187D1

Uniqueness

Uniqueness Score: -1.00%

Function 00D10DD1 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4114480051.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a0e3209f9744247fd68a08dd096fc10f434236f2950702ee071f69f099374c
Instruction ID: 1fa7978b9f49b255ac7724fb42192c1ab9efdd9c10f6a3e7b24eabce11284100
Opcode Fuzzy Hash: c6a0e3209f9744247fd68a08dd096fc10f434236f2950702ee071f69f099374c
Instruction Fuzzy Hash: CEE0C22070C2815FD30AA370E814AAA7F510BA2300F4981EAE0888B2E3DFB4DCC4C361

Uniqueness

Uniqueness Score: -1.00%

Function 00D10E09 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4114480051.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a6cb9e1f6478feada1a2ea55ae2e617a9318b819f9588e857827aefe925dd2
Instruction ID: 3fcb23df961ed923ab04e4bb20a5250a583f97e872408b70f2c9fdd0ccb51c9f
Opcode Fuzzy Hash: 37a6cb9e1f6478feada1a2ea55ae2e617a9318b819f9588e857827aefe925dd2
Instruction Fuzzy Hash: D4D0C2203193845FC7066730A4155A97F6117C6300F59C4D1E5844B2A3CAA4CDC4C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 007923F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4114120818.0000000000792000.00000040.00000800.00020000.00000000.sdmp, Offset: 00792000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_792000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d65058603a8c1d49cc55e18328731590c145478297501fb9f294ffb3b8720c0
Instruction ID: 18fba09b7163752018b578c02df8eadcb1fade760f6587ec79332f9d637171f8
Opcode Fuzzy Hash: 9d65058603a8c1d49cc55e18328731590c145478297501fb9f294ffb3b8720c0
Instruction Fuzzy Hash: F3D02E393006C04FD712EA0CD1A8B8537D4AF70708F0A00F9A8008B773CB2CDC82D600

Uniqueness

Uniqueness Score: -1.00%

Function 007923BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4114120818.0000000000792000.00000040.00000800.00020000.00000000.sdmp, Offset: 00792000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_792000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7441b9a4fe8086e8f5d0f4360a08ab0a5273cf16e25896d22bc8e8fea9cc0a94
Instruction ID: 11f43d6c60595b3a69d1477affc1e40b3ea6e68a4e8473879e68d931da7ece94
Opcode Fuzzy Hash: 7441b9a4fe8086e8f5d0f4360a08ab0a5273cf16e25896d22bc8e8fea9cc0a94
Instruction Fuzzy Hash: 66D05E342002815BCB16EA0CD6D4F5937D4AF54B14F0644E8AC108B762C7ACD8C1DA00

Uniqueness

Uniqueness Score: -1.00%

Function 00D10E18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4114480051.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f550558cfba1997b53678533dedd9eb9d3194a54cd55fa076a95580649093255
Instruction ID: 5dcbef8e2c72713bcf972183961a5fcc06bc7805c31b35cc0b33d992720953a0
Opcode Fuzzy Hash: f550558cfba1997b53678533dedd9eb9d3194a54cd55fa076a95580649093255
Instruction Fuzzy Hash: 88C012313002049BC748B778E519E6ABB9957D4304F88C464A4080B266CFB4ECC0C650

Uniqueness

Uniqueness Score: -1.00%

Function 00D10DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4114480051.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3948cc36135dfc83af70983f4dc8c01a45e4c4cf3149dcfeda3ef69afdfef5
Instruction ID: 9c72db8e6d3d6c56060d93e0d0378505035f04799ae9c204213d39a50472cbe1
Opcode Fuzzy Hash: 2d3948cc36135dfc83af70983f4dc8c01a45e4c4cf3149dcfeda3ef69afdfef5
Instruction Fuzzy Hash: 67C012303002049BC708B778E519E667B9657D0304F89C464A4080B266CFB4ECC0C690

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report YGPRDS01_2024-04-26_03_35_12.538 (1).zip

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: unarchiver.exePID: 6688, Parent PID: 2580

General

Chronological Activities

Analysis Process: 7za.exePID: 6736, Parent PID: 6688

General

Chronological Activities

Analysis Process: conhost.exePID: 6764, Parent PID: 6736

General

Chronological Activities

Disassembly

Analysis Process: unarchiver.exePID: 6688, Parent PID: 2580COMMON

Execution Graph

Graph

Callgraph

Executed Functions

Function 0079B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Function 00D10799 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Windows Analysis Report
YGPRDS01_2024-04-26_03_35_12.538 (1).zip

Function 00D10799 Relevance: 2.8, Strings: 2, Instructions: 284
COMMON

Function 0079B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 0079AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0079AB76 Relevance: 1.6, APIs: 1, Instructions: 95
pipeCOMMON

Function 0079A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Function 0079A120 Relevance: 1.6, APIs: 1, Instructions: 83
fileCOMMON

Function 0079A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Function 0079B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0079AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0079A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Function 0079A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Function 0079A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 0079A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Function 0079A6D4 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Function 0079AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON