Edit tour

Windows Analysis Report
Quarantined Messages (12).zip

Overview

General Information

Sample name:	Quarantined Messages (12).zip
Analysis ID:	1438430
MD5:	fb66102da29885913218383755e3b9ae
SHA1:	4adc29db7c64da24806bf26fb6914594c97c5d17
SHA256:	a5b66402a0ce61012b3bac28124606224f33aa313e790bd46792e3bf2c0c4995
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

System is w10x64

unarchiver.exe (PID: 1432 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Quarantined Messages (12).zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 2528 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\mlkax1j3.a2v" "C:\Users\user\Desktop\Quarantined Messages (12).zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 2744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: classification engine

Classification label: clean2.winZIP@4/1@0/0

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2744:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Quarantined Messages (12).zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\mlkax1j3.a2v" "C:\Users\user\Desktop\Quarantined Messages (12).zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\mlkax1j3.a2v" "C:\Users\user\Desktop\Quarantined Messages (12).zip"	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 0_2_00C225C1 push eax; iretd	0_2_00C225C2
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 0_2_00C22D7D push edx; iretd	0_2_00C22D7E
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 0_2_010D0C9F push ds; ret	0_2_010D0CA2
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 0_2_010D0C99 push ds; ret	0_2_010D0C9A
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 0_2_010D0C9B push ds; ret	0_2_010D0C9E

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 2D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 1020000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 553			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 9413			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3260	Thread sleep count: 553 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3260	Thread sleep time: -276500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3260	Thread sleep count: 9413 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3260	Thread sleep time: -4706500s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_00C2B1D6 GetSystemInfo,

0_2_00C2B1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\mlkax1j3.a2v" "C:\Users\user\Desktop\Quarantined Messages (12).zip"

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	2 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1438430
Start date and time:	2024-05-08 18:05:52 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Quarantined Messages (12).zip
Detection:	CLEAN
Classification:	clean2.winZIP@4/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 48 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .zip Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Quarantined Messages (12).zip

Simulations

Behavior and APIs

Time	Type	Description
18:07:09	API Interceptor	4461713x Sleep call for process: unarchiver.exe modified

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3406
Entropy (8bit):	5.045111605717923
Encrypted:	false
SSDEEP:	48:QPe99UGbPGPGpJGIGGPGpRpGb9G+pGHGgGPGPGmQGPGGGPGmZEL16bTQfhtGtvE7:QPAZQiTnU2Uhtj
MD5:	4D546BB82083FEB1195D55B379FE3B31
SHA1:	411C3ADED38A9D903627DC212EAF6C5907D3D0D7
SHA-256:	07CD434A379698AB01C2CC91823C693D22D4B66F382CEC29EA84F5D6FCF6DE7E
SHA-512:	17CF916589506071E02C43665C4439D95D54AC6E103650F005A5A5D206AE215273F1C7F48086DEACE2E0B853ED6D9E1F93138864DC12F4B579DCE1A2EB106333
Malicious:	false
Reputation:	low
Preview:	05/08/2024 6:06 PM: Unpack: C:\Users\user\Desktop\Quarantined Messages (12).zip..05/08/2024 6:06 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\mlkax1j3.a2v..05/08/2024 6:06 PM: Received from standard error: ERROR: Wrong password : 4e9f09b1-dd0f-4789-b729-08dc6f58a520\2a244594-eb3e-da76-c5bb-13b6e218de2c.eml..05/08/2024 6:06 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..05/08/2024 6:06 PM: Received from standard out: ..05/08/2024 6:06 PM: Received from standard out: Scanning the drive for archives:..05/08/2024 6:06 PM: Received from standard out: 1 file, 15488 bytes (16 KiB)..05/08/2024 6:06 PM: Received from standard out: ..05/08/2024 6:06 PM: Received from standard out: Extracting archive: C:\Users\user\Desktop\Quarantined Messages (12).zip..05/08/2024 6:06 PM: Received from standard out: --..05/08/2024 6:06 PM: Received from standard out: Path = C:\Users\user\Desktop\Quarantined Messages (12).zip..05/08/2024 6:06

Static File Info

General

File type:	Zip archive data, at least v4.5 to extract, compression method=deflate
Entropy (8bit):	7.985973653418505
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	Quarantined Messages (12).zip
File size:	15'488 bytes
MD5:	fb66102da29885913218383755e3b9ae
SHA1:	4adc29db7c64da24806bf26fb6914594c97c5d17
SHA256:	a5b66402a0ce61012b3bac28124606224f33aa313e790bd46792e3bf2c0c4995
SHA512:	f8e77b63bf96601562d28faa6f195ba2159ab0a3952ee5e76d3c774bc8cf34e56bfeca1a036aafcdb4345042b2adf236d4533cf051a2ea4636a2138f5603bfee
SSDEEP:	384:2H2mqBxAlyOLYVL4H//NQ8Ht8cldc2OewMCki:2WfG0M/NN88xOJMCv
TLSH:	EE62D04DDE7F861CC8991DEC347BCBC5CA003180A9092073C7CBAF1573A6A5CAA67DA5
File Content Preview:	PK..-.....k..X............M...4e9f09b1-dd0f-4789-b729-08dc6f58a520/2a244594-eb3e-da76-c5bb-13b6e218de2c.eml....K.......D;......a.........$.\..J.\.".QLt..6..F.+_.,t......I. ..e..:...n.e.!.g B...._.X~..........Y.6a..`6...}/....1.a.V.....6...@l3....?...c.2.i

File Icon


Icon Hash:	90cececece8e8eb0

Target ID:	0
Start time:	18:06:34
Start date:	08/05/2024
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Quarantined Messages (12).zip"
Imagebase:	0x650000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	18:06:34
Start date:	08/05/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\mlkax1j3.a2v" "C:\Users\user\Desktop\Quarantined Messages (12).zip"
Imagebase:	0x130000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:06:34
Start date:	08/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	20.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.3%
Total number of Nodes:	76
Total number of Limit Nodes:	4

Executed Functions

Function 00C2B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 00C2B208

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 66359da54444ac74ed99c81973c7026479ed09ae812f81fe0310d58da61cefc8
Instruction ID: f4f43c52357e8a13154fc0bbfb13048fabde7979e987519eb985c6a0b3b6bb9d
Opcode Fuzzy Hash: 66359da54444ac74ed99c81973c7026479ed09ae812f81fe0310d58da61cefc8
Instruction Fuzzy Hash: 9F01A271400340DFDB10CF56E985766FBE4DF44320F08C4AADD488F652D375A944CBA1

Function 00C2B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00C2B2F3

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 952da9d1feb16db4c2fac6b45a3102908f4df76e3470d8eca2350e6d242b950b
Instruction ID: 1fb412c833fc142a11b8dc9a2c302df92db75c992cb71c769e46a7a7e1660829
Opcode Fuzzy Hash: 952da9d1feb16db4c2fac6b45a3102908f4df76e3470d8eca2350e6d242b950b
Instruction Fuzzy Hash: 0C31B271404344AFEB228B61DC44FA7BFBCEF05310F04889AF985DB562D364A909DB71

Function 00C2AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00C2ADA7

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c43a839a9f2265be906e7f5dad3e29126376e3ce45ac79cb8b887c7575c9b92a
Instruction ID: 0b71365541f3dd1d57c4f5fe72eb572b091458534b7acb1f84296af28a0dd743
Opcode Fuzzy Hash: c43a839a9f2265be906e7f5dad3e29126376e3ce45ac79cb8b887c7575c9b92a
Instruction Fuzzy Hash: 3931B371404384AFEB228B61DC44FA7BFECEF05314F04889AF985DB562D324A919DB71

Function 00C2AB76 Relevance: 1.6, APIs: 1, Instructions: 94
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00C2AC36

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 83df4fda79ab87b0345208e612a122a5e50b3b9178046c8793c20a6ec518f082
Instruction ID: fabe5231565d38e062e5a33a989897d4aa1e806fcc47ca590dd23ac374c4c729
Opcode Fuzzy Hash: 83df4fda79ab87b0345208e612a122a5e50b3b9178046c8793c20a6ec518f082
Instruction Fuzzy Hash: 1D318D7250E3C06FD3038B718CA5A56BFB4AF47610F1A85CBD8C4DF5A3D2286919C7A2

Function 00C2A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00C2A67D

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 20cdff5a7cda36eda6f8246d0d7ab13928bd29d883c306c5ff872cc9ded6c651
Instruction ID: d9b608cc17e784fca0211e41b74f277cfdb27eee52c757bf4ce76693cc965671
Opcode Fuzzy Hash: 20cdff5a7cda36eda6f8246d0d7ab13928bd29d883c306c5ff872cc9ded6c651
Instruction Fuzzy Hash: ED318DB1504380AFE721CF65DC44F66BFE8EF05620F08889EF9858B662D365E919CB71

Function 00C2A120 Relevance: 1.6, APIs: 1, Instructions: 83
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00C2A1C2

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 39f18eed324b681d8bbfa9e5fcdff76c11f055d7e8113ceddcacdd0caf97ad57
Instruction ID: ee4784f7124a3df8d7af9db9fac377ccd7af997789296fc475383efd8dcf3c9f
Opcode Fuzzy Hash: 39f18eed324b681d8bbfa9e5fcdff76c11f055d7e8113ceddcacdd0caf97ad57
Instruction Fuzzy Hash: 4121D67150D3C06FD3028B218C51BA6BFB4EF87610F1984DBD9C4DF593D225691AC7A2

Function 00C2A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,AA490CAE,00000000,00000000,00000000,00000000), ref: 00C2A40C

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: de55eb364bf637caa7a935bc690dc8e0922c4fb7dee272312ade7e649b3434b6
Instruction ID: 3ec2974e650bd6ccbe1b5c75a159dfe3d5f9a0efd3b23a21bb25d0ec80304b9c
Opcode Fuzzy Hash: de55eb364bf637caa7a935bc690dc8e0922c4fb7dee272312ade7e649b3434b6
Instruction Fuzzy Hash: 3D215A75504744AFD721CF51DC84FA2BBF8AF45720F08849AEA858B6A2D364E948CB72

Function 00C2B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00C2B2F3

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 392827cce3f559f86137df2039d3b849fce81aa422880a740bb3eced3961ca15
Instruction ID: 6a8c3223b568c86d10f2e7f5104d792bc241a7bd5351c8caa73a1cc0d58813e9
Opcode Fuzzy Hash: 392827cce3f559f86137df2039d3b849fce81aa422880a740bb3eced3961ca15
Instruction Fuzzy Hash: E4218371500204AFEB21DF55DC44FAAFBE8EF04314F04885AEA459B661D774A9489B71

Function 00C2A50F Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNELBASE(?,00000E24,?,?), ref: 00C2A5B6

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: 1ce9d69b73189ab0b458e96c9ab3dcbb26b381f54c28e34c2f963e499ef19c06
Instruction ID: 30b4703e075062354d28f8fa66394be297a94bc82244afa3c763dd3be2bff610
Opcode Fuzzy Hash: 1ce9d69b73189ab0b458e96c9ab3dcbb26b381f54c28e34c2f963e499ef19c06
Instruction Fuzzy Hash: 2221A37150D3806FD3138B25CC51B62BFB8EF87614F0A81DBE8849B593D6246919C7B2

Function 00C2AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00C2ADA7

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e3077ce160769f564469c845fd939a46816bfa39b935ae0500637d25b4d1c5f0
Instruction ID: 0a5c83cf8a3a7b5b43660ee5117394dc0b73cb52b45518b47f025f60fda904a6
Opcode Fuzzy Hash: e3077ce160769f564469c845fd939a46816bfa39b935ae0500637d25b4d1c5f0
Instruction Fuzzy Hash: E6218172500204AFEB219F55DC44FABBBE8EF04324F04885AEA459AA61D734A5589BB1

Function 00C2A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,AA490CAE,00000000,00000000,00000000,00000000), ref: 00C2A8DE

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 142d8b7fc10a1732b9fd3416de0fa8ae81f8dfa871fc60328a5409b512b501f8
Instruction ID: c7598dbe805bfcdaa8e8d1d90b15c40450e2358a2525f8d2aa3b1ff3c3fd70a8
Opcode Fuzzy Hash: 142d8b7fc10a1732b9fd3416de0fa8ae81f8dfa871fc60328a5409b512b501f8
Instruction Fuzzy Hash: BF21B671408380AFE7128F55DC44FA2BFB8EF46714F0984DBF9849F552D264A919CB71

Function 00C2A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,AA490CAE,00000000,00000000,00000000,00000000), ref: 00C2A9C1

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 732b15d4b323491bd367b1e462913ca536c062057c7800eef4ee3ef7cf4e1e8f
Instruction ID: 782863a5b85edcd6185794820ba7755c024899190e86fe3aafa513059f33c77b
Opcode Fuzzy Hash: 732b15d4b323491bd367b1e462913ca536c062057c7800eef4ee3ef7cf4e1e8f
Instruction Fuzzy Hash: 8921A171409380AFDB22CF51DC44F96BFB8EF46314F08849AE9849F162D365A548CBB2

Function 00C2A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00C2A67D

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 042b89bdf5f21346392a425fc37b573ced3bb5d9cf8af8a13999a1f9f2db2682
Instruction ID: e0d5a0c67159cddb94c4ef2533501ae098e71b674419189688fe7e5a94e6c617
Opcode Fuzzy Hash: 042b89bdf5f21346392a425fc37b573ced3bb5d9cf8af8a13999a1f9f2db2682
Instruction Fuzzy Hash: 58217F71500240AFE721CF66DD45F66FBE8EF04724F088459EA458BA51E375E908CB72

Function 00C2A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,AA490CAE,00000000,00000000,00000000,00000000), ref: 00C2A815

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 8b7dd2980bce1bc9266fceb035f6c410e8028f6a272a0c4b5a5988bc8dd9f67d
Instruction ID: 16d117006b1f5fef13eb295b8ad12a67c0ec3a87e0bb8261a6ff5d5ee22a47a0
Opcode Fuzzy Hash: 8b7dd2980bce1bc9266fceb035f6c410e8028f6a272a0c4b5a5988bc8dd9f67d
Instruction Fuzzy Hash: 8221A5B54093846FE7128B51DC44BA2BFB8EF46714F0980DBE9848B693D264A909C776

Function 00C2A6D4 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00C2A748

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9d15f0524c691b8fe0968f80919f0b9d6bc990c74db59939f7c3e68af521ab1a
Instruction ID: 3730b8840e9e068ee9974b30a487d0c5581ec945bf43636796e48ce9ab007415
Opcode Fuzzy Hash: 9d15f0524c691b8fe0968f80919f0b9d6bc990c74db59939f7c3e68af521ab1a
Instruction Fuzzy Hash: 372192755093C09FDB128B25DC95752BFB8AF07320F0984DAED858F6A3D2649909C762

Function 00C2AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00C2AA8B

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 255c283fe296e2ed561654c182bc2acd4a68786200761b87c615d4b8cfce1541
Instruction ID: fec466408f32e3569717a15b7131a35e320e2f3bf3a51ce4aeed75758c0b0f6c
Opcode Fuzzy Hash: 255c283fe296e2ed561654c182bc2acd4a68786200761b87c615d4b8cfce1541
Instruction Fuzzy Hash: 5521C2715083C09FDB12CB29DC55B92BFE8AF46314F0D84EAE984CF553D224D909CB61

Function 00C2A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,AA490CAE,00000000,00000000,00000000,00000000), ref: 00C2A40C

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bc1043a88f6eb6f02361edbbf92d408ede6b709225d97431c84b33700fd91593
Instruction ID: 09393f5584cc115e873e2b2db68a6acd3465452ba6a2d91d907d9aac2378b48b
Opcode Fuzzy Hash: bc1043a88f6eb6f02361edbbf92d408ede6b709225d97431c84b33700fd91593
Instruction Fuzzy Hash: A02190755006049FE720DF16DC84FA7F7ECEF04720F14C45AEA458BA61E764E949CA72

Function 00C2A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,AA490CAE,00000000,00000000,00000000,00000000), ref: 00C2A9C1

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 626cb90ac60cf5a2bb0adeec51693bce312ba6bb11d42db252b9db48070e6ffa
Instruction ID: 1a49f26a379a7b77df6f7706a97a6d09cbb9de385ba848ae3a40f318dcf13b04
Opcode Fuzzy Hash: 626cb90ac60cf5a2bb0adeec51693bce312ba6bb11d42db252b9db48070e6ffa
Instruction Fuzzy Hash: A211C471400300AFEB21DF56DC44FA6FBE8EF44724F14845AEA459B651D374A548CBB2

Function 00C2A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,AA490CAE,00000000,00000000,00000000,00000000), ref: 00C2A8DE

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9e6f536ca7e34d05bb00cf689d878cca674645e047e23e548df72ff827a3c871
Instruction ID: b1559003e496b70dab2dbbc2385ba11dfe0984c39fb77337aa658ac15de6dbcb
Opcode Fuzzy Hash: 9e6f536ca7e34d05bb00cf689d878cca674645e047e23e548df72ff827a3c871
Instruction Fuzzy Hash: E711E371400200AFEB21DF56DC84FA6FBE8EF44724F14C49AEE499BA51D374A548CBB2

Function 00C2A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00C2A30C

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 784395a82777421eb98c75958d81700ac613a312557bd81df8d2a73809b81857
Instruction ID: fee415839aadc241f2304a612f67652778b8c5b0b2a47e464333a48125a812c8
Opcode Fuzzy Hash: 784395a82777421eb98c75958d81700ac613a312557bd81df8d2a73809b81857
Instruction Fuzzy Hash: 0C11A0758093C09FDB228B25DC54A52BFB4DF47320F0A80DBED848F663D265A948CB72

Function 00C2A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,AA490CAE,00000000,00000000,00000000,00000000), ref: 00C2A815

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 540af675ee6006e45880cbd0c93319ef688f26d9d0d41a6cff77d07a81fff41d
Instruction ID: 02e46ad312514d3a1d2c51933fb2c76cab1da024daad8a98840362be57d1677f
Opcode Fuzzy Hash: 540af675ee6006e45880cbd0c93319ef688f26d9d0d41a6cff77d07a81fff41d
Instruction Fuzzy Hash: 5501F975500244AFE720CF06DC84BA6FBD8DF44724F14C096EE058B791E374E948CAB6

Function 00C2AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00C2AA8B

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 7af599734c0cc5206b152c9465c3e4848c7de27e205f4b0e00ccad5f2a993f77
Instruction ID: 299b6f8212b3fb22d3382f14dcaea1cf4a9ae2ab205c245a98f5541689e978f7
Opcode Fuzzy Hash: 7af599734c0cc5206b152c9465c3e4848c7de27e205f4b0e00ccad5f2a993f77
Instruction Fuzzy Hash: 9B118271500240DFDB50CF1AE984B56BBD8EF04720F08C4AAED49CB651E234E944DE62

Function 00C2AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00C2AFE4

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: b0d460b9d5726bddfb23e86df1405f45b5a291e964f9abfaa2458c2c15045591
Instruction ID: ec94d464c4021319f47c749e7594c211ce8baf440d49dfcdd4696fdf74f8a969
Opcode Fuzzy Hash: b0d460b9d5726bddfb23e86df1405f45b5a291e964f9abfaa2458c2c15045591
Instruction Fuzzy Hash: 5311A0715093C09FDB128B25DC45B52BFF4EF46320F0984DBED858B662D364A848CB61

Function 00C2B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 00C2B208

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 78a323692240251b39398d66b485af7b894820c8bf7119dbe7ea7c82c6c51e56
Instruction ID: 13d041780b0ebfc43317a608e8e0377ef5d98624d3612639ce2329e4aa7b6b53
Opcode Fuzzy Hash: 78a323692240251b39398d66b485af7b894820c8bf7119dbe7ea7c82c6c51e56
Instruction Fuzzy Hash: 8F117C714093C0AFDB12CF15ED88B56BFB4DF46320F0984EAED849F252D275A908CB62

Function 00C2ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00C2AC36

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 7900c11106aaae80fa72d976d60a3460341de6d861ae08d45ede46faa0519665
Instruction ID: a56df056c833d43549ed6b06b09736b683344c41b831d2230307279b170e9010
Opcode Fuzzy Hash: 7900c11106aaae80fa72d976d60a3460341de6d861ae08d45ede46faa0519665
Instruction Fuzzy Hash: B601BC71900200AFD350DF16CC86B66FBE8FB88B20F14812AED489BB41D731B956CBE1

Function 00C2A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00C2A1C2

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 5ce9c1fe0b77a45775757ad38b091aa295fde68351981afb9c65240b3a1c43b9
Instruction ID: 21760820e78fe5b8adad5085695cc7f57527166ce5795b07d0eddee49c6de496
Opcode Fuzzy Hash: 5ce9c1fe0b77a45775757ad38b091aa295fde68351981afb9c65240b3a1c43b9
Instruction Fuzzy Hash: B701BC71900200AFD310DF16CC86B66FBE8EB88A20F14816AED089BB41D731B956CBE1

Function 00C2A566 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetTempPathW.KERNELBASE(?,00000E24,?,?), ref: 00C2A5B6

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: e3a6359749d1390b9017a54833a5021aea8ea2dcad942b61c331e4a318217277
Instruction ID: 51eb49ac6b9954497b590422c22a6dde66e0994fe675fd2083c2f41374618591
Opcode Fuzzy Hash: e3a6359749d1390b9017a54833a5021aea8ea2dcad942b61c331e4a318217277
Instruction Fuzzy Hash: 7501AD71600600ABD210DF16CC86B66FBE8FB88A20F14815AED089BB41D731F956CBE6

Function 00C2A716 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00C2A748

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: df4910d5aa69eb07af8e2deee8f8e0edadc70669bd94e14c8647523de448d5d9
Instruction ID: 72ffcf3a88a707be2a57f20d14b714302b09e7a6c52f0829e008b2d477777023
Opcode Fuzzy Hash: df4910d5aa69eb07af8e2deee8f8e0edadc70669bd94e14c8647523de448d5d9
Instruction Fuzzy Hash: E701F2759002408FDB10CF1AE985766FBE4DF00720F18C4EAED498FB52D278E948DAA2

Function 00C2AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00C2AFE4

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 311c33bb502346eef60500f09814c1263fdd0fcdb1b28360d079f42b8c70e6fa
Instruction ID: cc05f985417b9c385dbd80fa5a71d2d838e668efdd8d6ff5bd2f2ee836c8aee2
Opcode Fuzzy Hash: 311c33bb502346eef60500f09814c1263fdd0fcdb1b28360d079f42b8c70e6fa
Instruction Fuzzy Hash: 2E01D6755002448FDB108F1AE984762FBD4EF04320F08C0DADD598BB51E379E848DEA2

Function 00C2A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00C2A30C

Memory Dump Source

Source File: 00000000.00000002.4507152206.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c2a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 05e707443b446532fe3782e7532a41f9bfddf72964a79abd46a95cbbf33eddf7
Instruction ID: 225f15a5ac8247067b7597b64add63ea4aa2ccabce72a9ce19be0bfad6932598
Opcode Fuzzy Hash: 05e707443b446532fe3782e7532a41f9bfddf72964a79abd46a95cbbf33eddf7
Instruction Fuzzy Hash: 3EF08C75404244CFDB20CF0AE984762FBE0EF44724F08C09ADE494BB62D379E948CAA2

Function 010D07A7 Relevance: 1.5, Strings: 1, Instructions: 278COMMON

Download Yara Rule

Strings

\O:l, xrefs: 010D0966

Memory Dump Source

Source File: 00000000.00000002.4507553768.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_unarchiver.jbxd

Similarity

API ID:
String ID: \O:l
API String ID: 0-3136575217
Opcode ID: 82675ad8e0dbd324d79a437760d254a2f2720be3707aff8c67dcdc94a345e620
Instruction ID: b37f47ce48998fdb3cee41fc1713aa0956b3d46c5297e3d974cb7ba76deda752
Opcode Fuzzy Hash: 82675ad8e0dbd324d79a437760d254a2f2720be3707aff8c67dcdc94a345e620
Instruction Fuzzy Hash: BAA17F35B002048BDB08AF74D8557BE77F3AB88318F148429EA4A9B798DF75DC46CB51

Function 010D0CA8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

KMI, xrefs: 010D0D6E, 010D0D73

Memory Dump Source

Source File: 00000000.00000002.4507553768.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_unarchiver.jbxd

Similarity

API ID:
String ID: KMI
API String ID: 0-491236139
Opcode ID: 9156f225f7604f70dda2a0c4d6c293c9750d69807e6238227d33f14723249fca
Instruction ID: 5612afb437c8e56ca60a97cb1a3c30c96190d049c0aa54d9b90c4da51db33e2b
Opcode Fuzzy Hash: 9156f225f7604f70dda2a0c4d6c293c9750d69807e6238227d33f14723249fca
Instruction Fuzzy Hash: DD2127317007148BCB59EB39C5502AFB7D79FC9204F84882CE186DB744DF79E94A8796

Function 010D0CA5 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

KMI, xrefs: 010D0D6E, 010D0D73

Memory Dump Source

Source File: 00000000.00000002.4507553768.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_unarchiver.jbxd

Similarity

API ID:
String ID: KMI
API String ID: 0-491236139
Opcode ID: 10cf7e6093dc69d3b9f4c2a20e1a75e152cf0d777f88dae93947aaf789db6cca
Instruction ID: f72054716cfd0f64e911670636e7e8a8ee1ba7b333f508f33dc0401445abc586
Opcode Fuzzy Hash: 10cf7e6093dc69d3b9f4c2a20e1a75e152cf0d777f88dae93947aaf789db6cca
Instruction Fuzzy Hash: F4214831B003548FCF59EB3985402AEBBD39FC9304F44842CE086DB741DF79A90A8796

Function 010D02C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507553768.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f79684f71dd4a65757da75bd1fc93ca08ec7d72272bd4ebe0b08a656eb3b5b
Instruction ID: e6f459066f0415d391994d8e661f15c1497cc14744239a7be838ea8f1ef969c3
Opcode Fuzzy Hash: 22f79684f71dd4a65757da75bd1fc93ca08ec7d72272bd4ebe0b08a656eb3b5b
Instruction Fuzzy Hash: BEB1183A711210CFC718EF64E958A5E7BF2EF88350B508468F94A9B758DB319815CF91

Function 010D0B9F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507553768.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02e038ff358c7f127ce8bbac2fb35b13a7e68d7a34df77b85febd3b8affc6122
Instruction ID: 6da6e0d92074bacdafc54a0a45d226031b3d03b398cbd23e874d22062a98a92e
Opcode Fuzzy Hash: 02e038ff358c7f127ce8bbac2fb35b13a7e68d7a34df77b85febd3b8affc6122
Instruction Fuzzy Hash: A0118F36A1011CAFCB049BB8E844DDF7BF2AF8C214B054875E606E7764DB31A80A8B81

Function 010D0BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507553768.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 570533177efce9414ebfa46c603c73e92567c1621354ef271edd0a5b91032930
Instruction ID: a957a955dc322117a32e97965c662a8f7cc2e0df913b3d1f5ff13583ee884295
Opcode Fuzzy Hash: 570533177efce9414ebfa46c603c73e92567c1621354ef271edd0a5b91032930
Instruction Fuzzy Hash: C4115136A1011CAFCB049BB8D844DDF77F6BF8D214B054875E606E7764DB31A80A8B81

Function 012E0809 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507588338.00000000012E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8001b85fd826c4ea213f6701552496f0681f84943fbc181a7de708c1ed0839
Instruction ID: f62a484c3c378b5a29daacc07a54c7420b003b5744ac42334d827b94cd15f526
Opcode Fuzzy Hash: de8001b85fd826c4ea213f6701552496f0681f84943fbc181a7de708c1ed0839
Instruction Fuzzy Hash: 6E01B1B2409244AFC301CB55AC41C57BFE8DF96524B0984AAE9488B211E225AD198BB2

Function 012E05E1 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507588338.00000000012E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1b7eba1dabf8d3030a4c5ba2f6e0bd1563af1b3d49275d279d2f1b446cd36ef
Instruction ID: a8acaeb860c2478f8ba881598709adae2266ddde6fc5fd6cd2b804622809713c
Opcode Fuzzy Hash: b1b7eba1dabf8d3030a4c5ba2f6e0bd1563af1b3d49275d279d2f1b446cd36ef
Instruction Fuzzy Hash: 5D01A9B65097C46FD7118F06AC40862FFF8DF86620709C49FED498B652D129B808CBB2

Function 012E082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507588338.00000000012E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56240ea4de3f6cae30c4f009ccff8c423c3a8be2c69182e9fa7d15d0fb4fcac1
Instruction ID: 126b744b757e19c7466b47054800449b4b21cbf3d7704d6dd33c5b8ecfffb5e2
Opcode Fuzzy Hash: 56240ea4de3f6cae30c4f009ccff8c423c3a8be2c69182e9fa7d15d0fb4fcac1
Instruction Fuzzy Hash: 79F082B2805208AF9240DF45ED4585AFBECDFC4521F04C56EED488B700E276A9194AF2

Function 012E0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507588338.00000000012E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27b33679b4a22a711d83139f8a27fa5dad3ade4b02bb4196b8131255c8d8f2b6
Instruction ID: fcf4d7e5ad5afaad5a2320847ad70f9ad89ed10d433db1a5578d7ad0dd4e2717
Opcode Fuzzy Hash: 27b33679b4a22a711d83139f8a27fa5dad3ade4b02bb4196b8131255c8d8f2b6
Instruction Fuzzy Hash: 84E092B66006448B9650CF0BED41452FBD8EB88630708C07FDC0D8B701E635B548CAE5

Function 010D0C5C Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507553768.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f908cac5fe986c79c0f182cbf06905366b631ac523e1ab39954c96552fd010
Instruction ID: 03545b34009c34042b1cef0c1406e4e0c19b5a7f66f80c33ad71b53340599864
Opcode Fuzzy Hash: e8f908cac5fe986c79c0f182cbf06905366b631ac523e1ab39954c96552fd010
Instruction Fuzzy Hash: 2DE0C232F102181B8B08EAF854001DEBAE69BC4064B908079D409E7700EF30DD4287C0

Function 010D0C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507553768.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d1c95b2e085654e9cf29d66e393f44b6950f547a3f9503a03c726802be22974
Instruction ID: f7685760ae631f4c4ed06a6a4ff3bb1df5638092147d87e5f624cde3d2bf5877
Opcode Fuzzy Hash: 7d1c95b2e085654e9cf29d66e393f44b6950f547a3f9503a03c726802be22974
Instruction Fuzzy Hash: BCD01232F042185B8B44EAB958445DE7AEA9BC4154B558479D409E7740EF35E84687C0

Function 00C223F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507139409.0000000000C22000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c22000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0a35dc4f8e1cd1dc5f141acaeb238695fcd115554063f8e97278ceb3069cb5
Instruction ID: e26d219e9093272335a4bae6320b9c25df2db942b06081d87c35e96e39450bc2
Opcode Fuzzy Hash: 3a0a35dc4f8e1cd1dc5f141acaeb238695fcd115554063f8e97278ceb3069cb5
Instruction Fuzzy Hash: CFD02E392006D05FD316AF0CD1A4B8537D4BB40704F0A00FAAC008BB73C768EA80E610

Function 010D0E10 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507553768.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92eef50c40574d6f7b6cf4690fd871f0ee4cab3892d2c41703806f7b36605c4f
Instruction ID: 246ecf602429d9ff3920c4e01dd3f3285b2e8356af248b3276ea3bfb60d82b9b
Opcode Fuzzy Hash: 92eef50c40574d6f7b6cf4690fd871f0ee4cab3892d2c41703806f7b36605c4f
Instruction Fuzzy Hash: 2FD0A7313443044FCB05EB78D814A9D7B915BE9304F48C559D58D9B3A6C770C405CB40

Function 00C223BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507139409.0000000000C22000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c22000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea374ab533cc4096a23359eecfc7c96a5c3ecee16d675542181f30242921b6fd
Instruction ID: a1587f74bd6d0ab4c74caed2d4f1665780a3a6c3e687a53544b48446de946cfa
Opcode Fuzzy Hash: ea374ab533cc4096a23359eecfc7c96a5c3ecee16d675542181f30242921b6fd
Instruction Fuzzy Hash: C8D05E383402815BC719DF0CD2D4F5937D8AF80B15F0644E8AC208BB72C7A8EAC0CA00

Function 010D0DDC Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507553768.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62af7db4f3f72aab711f1f11d60b7c94bb70116d8173cb9b59deb62b0dc36ae5
Instruction ID: b05e4899150bf560f8d36b34a622df40f58d9354a8a179f9e08dc5a4ce25781d
Opcode Fuzzy Hash: 62af7db4f3f72aab711f1f11d60b7c94bb70116d8173cb9b59deb62b0dc36ae5
Instruction Fuzzy Hash: 2AD012353243448FD708AB78D418A697BD267D4314F99C4A4E98C0B369CBB0D845D780

Function 010D0E18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507553768.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3890f05f1ac8870c899a65823522c0376e288a22c44cfc2f2227c7d0feb44e
Instruction ID: 9ad31dd7e98ee511f7937ba4fa9304afb341ff693b329a140871a06f5cb2909b
Opcode Fuzzy Hash: ab3890f05f1ac8870c899a65823522c0376e288a22c44cfc2f2227c7d0feb44e
Instruction Fuzzy Hash: ECC012313003088BC704AB68D518A6977D55BD9304F84C464694C1B359CB70E844C740

Function 010D0DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4507553768.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68696b8687ed948f0db3b49c744ba4b5332f64ec64de4063722ff30f52b4a48
Instruction ID: 10bb2d64ea9e4a60a61a43d23c27ee4095eb6a40e75adea24273634ef1605619
Opcode Fuzzy Hash: b68696b8687ed948f0db3b49c744ba4b5332f64ec64de4063722ff30f52b4a48
Instruction Fuzzy Hash: F7C012313003088BD704AB68D418A6A77D657D4314F85C464A54C0B359CBB0E844C680

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quarantined Messages (12).zip

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: unarchiver.exePID: 1432, Parent PID: 4004

General

Chronological Activities

Analysis Process: 7za.exePID: 2528, Parent PID: 1432

General

Chronological Activities

Analysis Process: conhost.exePID: 2744, Parent PID: 2528

General

Chronological Activities

Disassembly

Analysis Process: unarchiver.exePID: 1432, Parent PID: 4004COMMON

Execution Graph

Graph

Executed Functions

Function 00C2B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Function 00C2B246 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Windows Analysis Report
Quarantined Messages (12).zip

Function 00C2B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 00C2AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 00C2AB76 Relevance: 1.6, APIs: 1, Instructions: 94
pipeCOMMON

Function 00C2A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Function 00C2A120 Relevance: 1.6, APIs: 1, Instructions: 83
fileCOMMON

Function 00C2A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Function 00C2B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 00C2A50F Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 00C2AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 00C2A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Function 00C2A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Function 00C2A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 00C2A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Function 00C2A6D4 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Function 00C2AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON