Edit tour

Windows Analysis Report
AI.Gemini Ultra For PC V1.0.1.rar

Overview

General Information

Sample name:	AI.Gemini Ultra For PC V1.0.1.rar
Analysis ID:	1383032
MD5:	a0af1cc1265b96de8699a4daeab236a7
SHA1:	9123d4abce7af105faa7c32c3a2ea5ad4d219d2c
SHA256:	3f79fff587d4eaee9ac530408280987e1317bacc7ada5acb163cffd618b9d932
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Classification

Process Tree

System is w10x64

unarchiver.exe (PID: 6900 cmdline: C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\AI.Gemini Ultra For PC V1.0.1.rar MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 6972 cmdline: C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\u100klum.rum" "C:\Users\user\Desktop\AI.Gemini Ultra For PC V1.0.1.rar MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 6996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Compliance
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: classification engine

Classification label: clean1.winRAR@4/1@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6996:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\AI.Gemini Ultra For PC V1.0.1.rar
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\u100klum.rum" "C:\Users\user\Desktop\AI.Gemini Ultra For PC V1.0.1.rar
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\u100klum.rum" "C:\Users\user\Desktop\AI.Gemini Ultra For PC V1.0.1.rar	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 2588			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 7382			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5932	Thread sleep count: 2588 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5932	Thread sleep time: -1294000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5932	Thread sleep count: 7382 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5932	Thread sleep time: -3691000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_00DBB1D6 GetSystemInfo,

0_2_00DBB1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\u100klum.rum" "C:\Users\user\Desktop\AI.Gemini Ultra For PC V1.0.1.rar

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	11 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
AI.Gemini Ultra For PC V1.0.1.rar	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	39.0.0 Ruby
Analysis ID:	1383032
Start date and time:	2024-01-30 00:13:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	AI.Gemini Ultra For PC V1.0.1.rar
Detection:	CLEAN
Classification:	clean1.winRAR@4/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 47 Number of non-executed functions: 0
Cookbook Comments:	Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: AI.Gemini Ultra For PC V1.0.1.rar

Simulations

Behavior and APIs

Time	Type	Description
00:15:16	API Interceptor	4198013x Sleep call for process: unarchiver.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Download File

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3660
Entropy (8bit):	4.980812236435664
Encrypted:	false
SSDEEP:	48:UHh9mGjGbjGjGpBGyGjGpdHWGbdG4HWG8GxhRG3aGAGaaGaGyGjGjGm6GjGcGjGV:THhcYFyW+ZWI+a
MD5:	46DD44BC313325A17791FF77C56030E2
SHA1:	2ACA4513F6B3091D5AB11D0D3756C7DBBF11D7BC
SHA-256:	02C2DDF9095DEC492D32BB32A87CB1E8F8CF40D3E9BE07D42AAD87B9EF80DDF8
SHA-512:	9618AF68BE383FD2D3C59CE85DF4BDAA604777849232ADC21B3A2B7A7C1A05603F1E8A299A39FC34BBF076E7482068D548B566AC803A9278D53FC2FF06F2718B
Malicious:	false
Reputation:	low
Preview:	01/30/2024 12:14 AM: Unpack: C:\Users\user\Desktop\AI.Gemini Ultra For PC V1.0.1.rar..01/30/2024 12:14 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\u100klum.rum..01/30/2024 12:14 AM: Received from standard out: ..01/30/2024 12:14 AM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..01/30/2024 12:14 AM: Received from standard out: ..01/30/2024 12:14 AM: Received from standard out: Scanning the drive for archives:..01/30/2024 12:14 AM: Received from standard out: 1 file, 404274 bytes (395 KiB)..01/30/2024 12:14 AM: Received from standard out: ..01/30/2024 12:14 AM: Received from standard out: Extracting archive: C:\Users\user\Desktop\AI.Gemini Ultra For PC V1.0.1.rar..01/30/2024 12:14 AM: Received from standard out: --..01/30/2024 12:14 AM: Received from standard out: Path = C:\Users\user\Desktop\AI.Gemini Ultra For PC V1.0.1.rar..01/30/2024 12:14 AM: Received from standard out: Type = Rar5..01/30/2024 12:14 AM: Received from standard

Static File Info

General

File type:	RAR archive data, v5
Entropy (8bit):	7.999558533559639
TrID:	RAR Archive (5005/1) 100.00%
File name:	AI.Gemini Ultra For PC V1.0.1.rar
File size:	404'274 bytes
MD5:	a0af1cc1265b96de8699a4daeab236a7
SHA1:	9123d4abce7af105faa7c32c3a2ea5ad4d219d2c
SHA256:	3f79fff587d4eaee9ac530408280987e1317bacc7ada5acb163cffd618b9d932
SHA512:	1228a47e69129f80083cbdc2fe638cab04a77840aa6b67401ee137b9917e452237fb8f40a74008ca88af38c43fcdc31ba1d4d43887c74c77762b795999e860a6
SSDEEP:	12288:1fDgARzJdLN4iKWGBc2FW2JH8IhnscBhl:1rtRln4HW12FW2l8+7l
TLSH:	50842393BC6C5A1F0ADCAC40EB69F17DCEB774562F66C6174DC8168B005BAC98802B37
File Content Preview:	Rar!....{].r.............}6.<....<......- sQjz...FAI.Gemini Ultra For PC V1.0.1/Google AI Gemini Ultra For PC V1.0.1.msi0....o.D.5.?.jErn.t......r}k.9........-..%u.....$... Y.m*M..z......]{Rn..k....d....K..3jQ7....5ja'~K................;.caJ..!x...H.`...Z

File Icon


Icon Hash:	90cececece8e8eb0

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• unarchiver.exe
• 7za.exe
• conhost.exe

Click to jump to process

Memory Usage

• unarchiver.exe
• 7za.exe
• conhost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

System Behavior

Analysis Process: unarchiver.exePID: 6900, Parent PID: 2580

Function Logs

General

Target ID:	0
Start time:	00:14:42
Start date:	30/01/2024
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\AI.Gemini Ultra For PC V1.0.1.rar
Imagebase:	0x5e0000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high
Has exited:	false

Show Windows behavior

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Value Enumerated

Key Enumerated

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Created

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Chronological Activities

Analysis Process: 7za.exePID: 6972, Parent PID: 6900

Function Logs

General

Target ID:	1
Start time:	00:14:43
Start date:	30/01/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\u100klum.rum" "C:\Users\user\Desktop\AI.Gemini Ultra For PC V1.0.1.rar
Imagebase:	0x90000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Created

File Read

File Attributes Queried

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Process Token Activities

Token Adjusted

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6996, Parent PID: 6972

Function Logs

General

Target ID:	2
Start time:	00:14:43
Start date:	30/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

File Attributes Queried

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: unarchiver.exePID: 6900, Parent PID: 2580COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	21.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.3%
Total number of Nodes:	76
Total number of Limit Nodes:	4

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00DBB1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 00DBB208

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: f62ecadcf23d567799533f452bc1d52f24206cab39cc5130ab74822675ee63f9
Instruction ID: a7adea4a36fa099776572285079c1b166bfc4f0477b2e666b33f4d7a30eb0b00
Opcode Fuzzy Hash: f62ecadcf23d567799533f452bc1d52f24206cab39cc5130ab74822675ee63f9
Instruction Fuzzy Hash: D6017C719002408FDB108F15D884BA6FBA4EB55320F08C4AADD898F656D3B9E4088A61

Uniqueness

Uniqueness Score: -1.00%

Function 00DBB246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00DBB2F3

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 169ab4703438dfd8d476cd2cd5666994e8d45f9b822185bb3d923ca3ba44565f
Instruction ID: 43a08e61e1fa460298849aba68bc18661441c9de75c4ada86a987d4ade3137a8
Opcode Fuzzy Hash: 169ab4703438dfd8d476cd2cd5666994e8d45f9b822185bb3d923ca3ba44565f
Instruction Fuzzy Hash: 2831B471504344AFE7228B61CC44FA6BFFCEF55320F04889AE985CB552D365E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DBAB76 Relevance: 1.6, APIs: 1, Instructions: 101
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00DBAC36

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 1a49ae9629723a0d6cb93dc4d7adec81a857fb4218f22cf2e619396dc9c578e6
Instruction ID: f0ff55fbdafd13cfb47240af330021cf680b17fd57389cd8db3da2f5d0714c20
Opcode Fuzzy Hash: 1a49ae9629723a0d6cb93dc4d7adec81a857fb4218f22cf2e619396dc9c578e6
Instruction Fuzzy Hash: 01318A6250E3C05FD3038B718C65A91BFB4AF87210F1A84CBD8C4CF1A3D269A919C762

Uniqueness

Uniqueness Score: -1.00%

Function 00DBAD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00DBADA7

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 53d8709de4b4659bc2345b5aaeb4f0e4c36c41c68c3dd2710bbaca529216c0e5
Instruction ID: 890812f746684609c1259e4f10d76db773dab04325aff8e4cdc1b5f9d14f9b51
Opcode Fuzzy Hash: 53d8709de4b4659bc2345b5aaeb4f0e4c36c41c68c3dd2710bbaca529216c0e5
Instruction Fuzzy Hash: 3C31B571504344AFE7228B65CC44FA7BFECEF45224F04889AF985CB552D225E509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00DBA67D

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6d43dc834f1ec6626ef7b75f9fb4d98abbcd7f2f9da3460f37591d32a13c296a
Instruction ID: e70ab3aefc299537a077600fc2791348e732847984a98a41fed8508f97f6a6f0
Opcode Fuzzy Hash: 6d43dc834f1ec6626ef7b75f9fb4d98abbcd7f2f9da3460f37591d32a13c296a
Instruction Fuzzy Hash: 9831B1B1504340AFE721CF25CC44FA6BFE8EF55224F08889EE9858B652D375E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00DBA1C2

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 58d13965ff12d86e5c6f9576f2e828433a669be28995efd91648b8bf637e9c71
Instruction ID: 7a88c460ee242b1d44c8fae0f49b6edb5cce01128d222b5b58dbc68d72c187c6
Opcode Fuzzy Hash: 58d13965ff12d86e5c6f9576f2e828433a669be28995efd91648b8bf637e9c71
Instruction Fuzzy Hash: E321927150D3C06FD3128B258C61BA6BFB4EF87610F1985CBD8C4DF693D225A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,714ECDAC,00000000,00000000,00000000,00000000), ref: 00DBA40C

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e4123f4cff93640d291aa8bcceee53f690ff13746169afd3c9b73a61813eda31
Instruction ID: b380f93fcbebbb0da14d4a8dc45901d1ef036db579572e25e06cba132f7aa4d1
Opcode Fuzzy Hash: e4123f4cff93640d291aa8bcceee53f690ff13746169afd3c9b73a61813eda31
Instruction Fuzzy Hash: 8B217A71504344AFD721CF55CC84FA6BBF8EF55620F08849AE98ACB292D365E909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DBB276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00DBB2F3

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 72403206109473686c0b62cf54d0e57bba1e948817b9f69c624030d5b0ef8ccb
Instruction ID: e9118079a8b24647f77e794afb9f35f876e9d1e098eb63ac2a23d0ac304ae57f
Opcode Fuzzy Hash: 72403206109473686c0b62cf54d0e57bba1e948817b9f69c624030d5b0ef8ccb
Instruction Fuzzy Hash: F221C172500204AFEB219F61CC44FABBBECEF14324F04886AE985CBA51D775E5098BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA50F Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNELBASE(?,00000E24,?,?), ref: 00DBA5B6

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: f43c01f5833789b3c0306278e03be90ea8e3a563b877b0c7ed9ff7de50b41eec
Instruction ID: b94afaa9251c747911f85e4a02b3c83a48ba51366d0b13edade2f892a057f7f6
Opcode Fuzzy Hash: f43c01f5833789b3c0306278e03be90ea8e3a563b877b0c7ed9ff7de50b41eec
Instruction Fuzzy Hash: F92171715093806FD3138B25CC51B62BFB8EF87614F0A81DBE8849B593D625A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00DBAD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00DBADA7

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 62f4f5db29c8c496e2bafe61f0f508fd21d3fc9874a3aa656dcba5097f854f7c
Instruction ID: 268821066a718dc2f3c2652597a14c8415afbffc17a98dd82d18a501ffd96e2d
Opcode Fuzzy Hash: 62f4f5db29c8c496e2bafe61f0f508fd21d3fc9874a3aa656dcba5097f854f7c
Instruction Fuzzy Hash: 0121C172500204AFEB219F55CC44FABFBECEF14324F04886AE985CBA51E735E5498BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,714ECDAC,00000000,00000000,00000000,00000000), ref: 00DBA8DE

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: afac9098ce24e09fe576d4fdcd45b9821ae52ed8290102caf5ba68bcf093a7bc
Instruction ID: 020bcc4541d3f6167560d02638fcf45bacd51ca1d129ce231a5fe00eb3a372d3
Opcode Fuzzy Hash: afac9098ce24e09fe576d4fdcd45b9821ae52ed8290102caf5ba68bcf093a7bc
Instruction Fuzzy Hash: 5321D671508380AFEB228F14DC44FA6BFB8EF56714F0884DAE984CF553C225A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,714ECDAC,00000000,00000000,00000000,00000000), ref: 00DBA9C1

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6b0cf611a21f5ff7367927306cf8dbd17aae0dbbf685f1540112e3390bfd8912
Instruction ID: 5fe6ef94e8398254ba55bf0c86ecb45a0e5283ff7a6ad14a8b07ecfea9439465
Opcode Fuzzy Hash: 6b0cf611a21f5ff7367927306cf8dbd17aae0dbbf685f1540112e3390bfd8912
Instruction Fuzzy Hash: FA21A171409380AFDB228F65CC44F96BFB8EF56314F08849AE9859F152C275A509CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00DBA67D

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b060036b5661cd34a7b79c120df4034b2c35dd86791de27a2ee2e7bf6b4b53d0
Instruction ID: a576c83ebd9bac037bd3d34fb3d491f23cbe58be0884a87c896536d15e3c6a7a
Opcode Fuzzy Hash: b060036b5661cd34a7b79c120df4034b2c35dd86791de27a2ee2e7bf6b4b53d0
Instruction Fuzzy Hash: 902192B1500604EFE721DF65CD45FA6FBE8EF18324F088869E9868B651D775E808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,714ECDAC,00000000,00000000,00000000,00000000), ref: 00DBA815

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 853c40801000ad94ca1176aafd9f2994e0f19ca11582a7058a60ce95a9e00ed4
Instruction ID: b8fafdf35d071034dc3639b64e95d387280fa1edbe46db7ad930819663e95cb7
Opcode Fuzzy Hash: 853c40801000ad94ca1176aafd9f2994e0f19ca11582a7058a60ce95a9e00ed4
Instruction Fuzzy Hash: 4621D8B54093806FE7128B11DC44BA6BFB8EF57714F0880D6E9858F653D265A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 00DBAA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00DBAA8B

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: b5ab94b8a7fd936ddb5ffea35f2e95716a8749129e4a588526826939aff1bf42
Instruction ID: 4e2244911b9434dba28d9101a409b91a6c9b99dc2ef8dc72b7883357a8befa7b
Opcode Fuzzy Hash: b5ab94b8a7fd936ddb5ffea35f2e95716a8749129e4a588526826939aff1bf42
Instruction Fuzzy Hash: 4A21AF715083809FDB12CB29DC55B92BFE8AF46314F0D84EAE885CB153E225D909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,714ECDAC,00000000,00000000,00000000,00000000), ref: 00DBA40C

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4a2eadbd46a7a5e7b63b4748334d3c56e73a7ddfc3dcad448811a9b2a54d95d7
Instruction ID: 938031769043cb5eadd38b870090bb45b2536228fcf53d12becec88c26134796
Opcode Fuzzy Hash: 4a2eadbd46a7a5e7b63b4748334d3c56e73a7ddfc3dcad448811a9b2a54d95d7
Instruction Fuzzy Hash: A1218E756002049FE720CE55CC84FA6B7ECEF14710F08C45AE94A8B651D7A5E809CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA6D4 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00DBA748

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ed014256b9f1bbe64d60c79a6e07ac6c7a1fd59a74a06a6fc44c3d045bad5d88
Instruction ID: ebad4c218109d48a64cb6c2671f0e51e56dae7d8b5fa1c8688f84e075b0b8750
Opcode Fuzzy Hash: ed014256b9f1bbe64d60c79a6e07ac6c7a1fd59a74a06a6fc44c3d045bad5d88
Instruction Fuzzy Hash: C8219FB59097C09FD7128B2ADC94792BFB4AF46320F0984DBDCC58F5A3D2659908C772

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,714ECDAC,00000000,00000000,00000000,00000000), ref: 00DBA9C1

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 189a49d922ab230420e4954c0ecbfece3ecfa34b10f2dea7f5785f1b08bbb925
Instruction ID: 2ed0c3eae6d237c64f8b6f028eaaedf1596e89a721d58c0aae812a5cac9db033
Opcode Fuzzy Hash: 189a49d922ab230420e4954c0ecbfece3ecfa34b10f2dea7f5785f1b08bbb925
Instruction Fuzzy Hash: 8D11E271500200AFEB21CF55CC44FAAFBA8EF64724F04C45AE9858B641C335E408DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,714ECDAC,00000000,00000000,00000000,00000000), ref: 00DBA8DE

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 5e11e7b4720f969975ed0f0eb8b2861bcf09f69668be14b37e7a10183bbdf536
Instruction ID: 0bec6d0ac98e652dc95599b63ed838b629d6b840ca59818cf30826a94f6ea445
Opcode Fuzzy Hash: 5e11e7b4720f969975ed0f0eb8b2861bcf09f69668be14b37e7a10183bbdf536
Instruction Fuzzy Hash: 9711E371500200AFEB21CF55DC44FAAFBE8EF64724F18C85AED859BA41C375E5098BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00DBA30C

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 4cff792a3adf21fb96fd731ece31aafc354af07133ebc90c605e99128b3183ad
Instruction ID: acf5360c1121a20bb1ff7a9b8f17e6d8517746b76ed08bf883e9a0cc2e855744
Opcode Fuzzy Hash: 4cff792a3adf21fb96fd731ece31aafc354af07133ebc90c605e99128b3183ad
Instruction Fuzzy Hash: 211191758093C09FD7228B25DC54A92BFB4EF57220F0980DBDD858F263D275A809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,714ECDAC,00000000,00000000,00000000,00000000), ref: 00DBA815

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 871097963726c9207449ced884a031f7a1734600e31cfa75830ea85ef5e92836
Instruction ID: 8184df68692a5be0c1cc788e72512d8088dd9dcae65ddcf19ec95c1aeb3cbc0c
Opcode Fuzzy Hash: 871097963726c9207449ced884a031f7a1734600e31cfa75830ea85ef5e92836
Instruction Fuzzy Hash: 9301D675500200AEE720CB05DC84FEAFBE8DF65724F18C056ED458BB41D779E8098AB6

Uniqueness

Uniqueness Score: -1.00%

Function 00DBAA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00DBAA8B

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 4f99349d896cd2509d80e29aacf83f35cadf4abd69e486e7bc661368206f79c1
Instruction ID: 45b443a7444fc4e9b1b9c54c21176a332fa9770a531b7f713401916821be7194
Opcode Fuzzy Hash: 4f99349d896cd2509d80e29aacf83f35cadf4abd69e486e7bc661368206f79c1
Instruction Fuzzy Hash: 661152716002409FEB50CF19D984BA6BBD8EF55320F0CC4AADD49CB641E675E948CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00DBAF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00DBAFE4

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: cb38efdbd3565464145b1f8aad70fcc7c79465678d600a0d4f62236d95e44a79
Instruction ID: 320204de78425b0fc33b3f341abafba0d33e1b0cbd780eb5dc6d1bd9284b7454
Opcode Fuzzy Hash: cb38efdbd3565464145b1f8aad70fcc7c79465678d600a0d4f62236d95e44a79
Instruction Fuzzy Hash: 93119A715093809FDB128B25DC85A62BFF4EF46220F0984DBED858B663D275A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DBB1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 00DBB208

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 4f861f05f927b11d40bf6d57c42d52a5138dab70155dbdce88f73a22869b8a4e
Instruction ID: 7f437074ce6c561fe9dc445e5c89d48c5145d1d2ca874bd30839580d5c5c802f
Opcode Fuzzy Hash: 4f861f05f927b11d40bf6d57c42d52a5138dab70155dbdce88f73a22869b8a4e
Instruction Fuzzy Hash: FC1170715093809FDB128F15DC44B56BFB4EF56220F0884DBED858F653D275A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00DBA1C2

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: f2e247c4af5488e13ee754514cd32fa7307ded2fc4b5aa66042cd7bb7a25d542
Instruction ID: c2567fff8823500def74fa9229eb462eb80c8fd6276746101392cdba937a66b1
Opcode Fuzzy Hash: f2e247c4af5488e13ee754514cd32fa7307ded2fc4b5aa66042cd7bb7a25d542
Instruction Fuzzy Hash: 2F017171600200ABD310DF16DC46B66FBE8FB88A20F14855AED489BB41D735F916CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00DBABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00DBAC36

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 80ec8bf91fffe2c24968665f4465ee512d50b601be77c22f94fd3acead46f109
Instruction ID: b182de8965aec4d453cad3280df2cc61554189c812ecaff74be8a8f9a3683ebf
Opcode Fuzzy Hash: 80ec8bf91fffe2c24968665f4465ee512d50b601be77c22f94fd3acead46f109
Instruction Fuzzy Hash: 57017171600200ABD350DF16DC46B66FBE8FB88A20F14855AED489BB41D735F916CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA566 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetTempPathW.KERNELBASE(?,00000E24,?,?), ref: 00DBA5B6

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: 54bbe0cfdd0a27e5bc49d31a9b77574d4cbe377a4829e8d65f4ab966790ca6a3
Instruction ID: 76aff33531467238693b406dc567757ed8fa1075f316079eed7db88ca6ec505c
Opcode Fuzzy Hash: 54bbe0cfdd0a27e5bc49d31a9b77574d4cbe377a4829e8d65f4ab966790ca6a3
Instruction Fuzzy Hash: F201A271600200ABD310DF16CC46B66FBE8FB88A20F148159EC489BB41D731F916CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA716 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00DBA748

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f642e9631d2656d32e6e25b127d3670de1ce3f2465d5ac5f4880bca69380dae0
Instruction ID: 000231cb3da78855ef4f06e1e126fd1499cd41a08d3796dabec2f32a66c9d939
Opcode Fuzzy Hash: f642e9631d2656d32e6e25b127d3670de1ce3f2465d5ac5f4880bca69380dae0
Instruction Fuzzy Hash: 5A01F771A04240CFDB10CF19D8847A6FBE4DF54320F18C4AADC4A8F742D679E808CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DBAFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00DBAFE4

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: f70fdfdc10f918545240bf5c558af4373b599a45a44a1d1218976953bb175768
Instruction ID: 612479ab71c7fd4e23209432765dd7ab62560ee42b709d803f7ec1533e76fe65
Opcode Fuzzy Hash: f70fdfdc10f918545240bf5c558af4373b599a45a44a1d1218976953bb175768
Instruction Fuzzy Hash: 1D01D675900240CFDB109F15D8857A2FBE4EF15320F08C09AED864B752D375E848DA72

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00DBA30C

Memory Dump Source

Source File: 00000000.00000002.4092577837.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c92acf86a0a60db843bf90a973e24a38b527e6b3eef7f5ec18f828e8a5575fac
Instruction ID: 2de5c4f1c15798550c0b893156ece55c81b7e8bf0ebf0b3122b705616f7c5523
Opcode Fuzzy Hash: c92acf86a0a60db843bf90a973e24a38b527e6b3eef7f5ec18f828e8a5575fac
Instruction Fuzzy Hash: 07F0A475904240CFDB209F09D884BA2FBE4EF55724F08C09ADD494F752D379E448CA72

Uniqueness

Uniqueness Score: -1.00%

Function 01060C99 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

[M), xrefs: 01060D43, 01060D48

Memory Dump Source

Source File: 00000000.00000002.4092786318.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_unarchiver.jbxd

Similarity

API ID:
String ID: [M)
API String ID: 0-1288923395
Opcode ID: 87409afd01bc07242ea2db71242e0725f8f78a5fc9535c42e337bc8f99ba7cf6
Instruction ID: 276e6daac9c83336710c1876579eb16d3a61ba90e3211214a34c72eedc07d65c
Opcode Fuzzy Hash: 87409afd01bc07242ea2db71242e0725f8f78a5fc9535c42e337bc8f99ba7cf6
Instruction Fuzzy Hash: 732123307006458FC715BB3984417AE7BE6DFCA344B44892CD286CB395DF3AE90287A6

Uniqueness

Uniqueness Score: -1.00%

Function 01060CA8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

[M), xrefs: 01060D43, 01060D48

Memory Dump Source

Source File: 00000000.00000002.4092786318.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_unarchiver.jbxd

Similarity

API ID:
String ID: [M)
API String ID: 0-1288923395
Opcode ID: 2466a0f1e110d636cfa2f59df70e5fe3146fb6206b2c71254800b7eb6d0a5219
Instruction ID: ab6afd63f2745359118806538b75732e2408b50fe21d7810e52eee0d5fc71f3b
Opcode Fuzzy Hash: 2466a0f1e110d636cfa2f59df70e5fe3146fb6206b2c71254800b7eb6d0a5219
Instruction Fuzzy Hash: C721F1307006008BC714FB3A94417AFBAE69F99208B44892CD186CB385DF3AED0687A6

Uniqueness

Uniqueness Score: -1.00%

Function 010602C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092786318.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809c6545825418dffb8ccecd917eaa207023c3ffb66c965b75de34238af7c720
Instruction ID: 754c4029da6aa778c717f2667936fc9dc9e15e126b921cd4edbf69e996e21bf9
Opcode Fuzzy Hash: 809c6545825418dffb8ccecd917eaa207023c3ffb66c965b75de34238af7c720
Instruction Fuzzy Hash: EEB12B3A701211DFC758EF64E959B5A7BF6FF88240B508829E906DB368DB349D01CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01060798 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092786318.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5642b8c8a9de2c24101fa241a6de486857153e6f1a182eefaa91d13581eb9d
Instruction ID: 0bb8b70ca16422e1f4ec9cec7ea2ecad32d4b2f760c09aea4ec569fe5cb54695
Opcode Fuzzy Hash: 5f5642b8c8a9de2c24101fa241a6de486857153e6f1a182eefaa91d13581eb9d
Instruction Fuzzy Hash: 63A18C35B002018FDB09AB7498557BE77E6EB88308F14C429E906D77A8DF79DC028B61

Uniqueness

Uniqueness Score: -1.00%

Function 01060BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092786318.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a128b79339229b85d9976ed6b23b9d46ecb6b0cc837137606896701dab4cd2e5
Instruction ID: 914b3ff854d1839023c943340d17dbf2490f9249a7a8922e5f87a2c96680af4a
Opcode Fuzzy Hash: a128b79339229b85d9976ed6b23b9d46ecb6b0cc837137606896701dab4cd2e5
Instruction Fuzzy Hash: 6F119E36A10119AFCB54ABB4E85599E7BF6FF88314B058475E205E7374EB35AC0A8B80

Uniqueness

Uniqueness Score: -1.00%

Function 01200807 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092867427.0000000001200000.00000040.00000020.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b269da9edd6ba8352aa1d12d1e9a2aa1d5623f850303a11396a08455e9ce02c
Instruction ID: d63dd2ba9e5c25b38365f4677224d1d81c010915e642986c031f47efba48e2e3
Opcode Fuzzy Hash: 9b269da9edd6ba8352aa1d12d1e9a2aa1d5623f850303a11396a08455e9ce02c
Instruction Fuzzy Hash: B301D8B24092406FD301CB15EC45C57BBF8DF86520B09C46BEC888B301D226B9098BE2

Uniqueness

Uniqueness Score: -1.00%

Function 012005DF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092867427.0000000001200000.00000040.00000020.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9862f99ade932f3424c7214b1eab4cd1db7b8a71a9cce63cb31f303f0dd8683d
Instruction ID: e9d091c7560113db0202feeb014e5a7e79b259d52202b8b52344cb66a42bfdef
Opcode Fuzzy Hash: 9862f99ade932f3424c7214b1eab4cd1db7b8a71a9cce63cb31f303f0dd8683d
Instruction Fuzzy Hash: 3C018B755097806FD7118F169C44862FFB8EF86520709849FEC898B652D225A809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0120082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092867427.0000000001200000.00000040.00000020.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2440572dca4d4a8d0737d050b83fbf8c3dd2587d76fabbe10d2f09d99cb4136d
Instruction ID: f9315e63acd5dc2aa245b9af863214458b31a0c0f9cce542ee30d0bfa5cf6a97
Opcode Fuzzy Hash: 2440572dca4d4a8d0737d050b83fbf8c3dd2587d76fabbe10d2f09d99cb4136d
Instruction Fuzzy Hash: 6EF082B2915204AF9240DF05ED46896F7ECEFC4521F04C52AEC488B701E276A9194AE2

Uniqueness

Uniqueness Score: -1.00%

Function 01200606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092867427.0000000001200000.00000040.00000020.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b99caff2ba67e72cd3cfa0784ee20a61235bf036a8157a45425b61d240ef176b
Instruction ID: e4c46f709e9282420a41861fa6e4bc6f8489f6f13b9b79eed2f9b0e70997257c
Opcode Fuzzy Hash: b99caff2ba67e72cd3cfa0784ee20a61235bf036a8157a45425b61d240ef176b
Instruction Fuzzy Hash: 66E092B66006004B9750DF0BEC45452FBE8EB88630708C07FDC4D8B711D236B509CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 01060C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092786318.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005464f9fe185ac2eec9733cac0b2cbf26806895c65ec40ce91fcde473a9ca57
Instruction ID: 48f2dd23504633d450220ad793a3dcdeab8bf3354da1bb5d189eb75291a6a16a
Opcode Fuzzy Hash: 005464f9fe185ac2eec9733cac0b2cbf26806895c65ec40ce91fcde473a9ca57
Instruction Fuzzy Hash: 2BE0DF32F212682FDB04DAF89401A9E7FB1DF8A160B8484BAC008D7360EA3989028390

Uniqueness

Uniqueness Score: -1.00%

Function 01060C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092786318.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119394e22102de03a18d175b8f61083a072c176534c0feda7f137c057fbb4cc8
Instruction ID: cf03979a05cb61e12f05fc64011083a6dc52b34790fe26d3041724c3c67b2332
Opcode Fuzzy Hash: 119394e22102de03a18d175b8f61083a072c176534c0feda7f137c057fbb4cc8
Instruction Fuzzy Hash: 77D01232F012282B8B44DAB9584299F7BEA9B84154B5444799009D7350FF39990187D0

Uniqueness

Uniqueness Score: -1.00%

Function 01060DD1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092786318.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65da3da53dd9ff335d90916d67732c2acf479703e31763d18420b3a28a47d7f0
Instruction ID: 50521108ca6ecf2fc156319ba9eb858b1475ecf31a68ef0003f77139afa21aea
Opcode Fuzzy Hash: 65da3da53dd9ff335d90916d67732c2acf479703e31763d18420b3a28a47d7f0
Instruction Fuzzy Hash: CAE0C2302882548FD702AB349864A993FB1AF97304F09C0D9D989CF2B6C674D858D780

Uniqueness

Uniqueness Score: -1.00%

Function 01060E08 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092786318.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bbdda8acca1ef17cff6c4bce75a99ca178e514db263ea59491231fec82cd707
Instruction ID: 00841ccd2d4aa2561ed8f1ed07393e055b2c6040782f61285292851060ef84d9
Opcode Fuzzy Hash: 0bbdda8acca1ef17cff6c4bce75a99ca178e514db263ea59491231fec82cd707
Instruction Fuzzy Hash: 19E0C2262563444FD7066B3498146583FA49B8A300F48C0D1DAC48B276CA60DC01C350

Uniqueness

Uniqueness Score: -1.00%

Function 00DB23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092563490.0000000000DB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db2000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e982977be7fa88096ec3e48247f04ea8d0079fef4d6a7c044eb2311b89ee962
Instruction ID: 6a8501205037907b11ed8f966caf0ba192124f9e62f3bf8bc77cefe63508cd41
Opcode Fuzzy Hash: 1e982977be7fa88096ec3e48247f04ea8d0079fef4d6a7c044eb2311b89ee962
Instruction Fuzzy Hash: 10D02E7A2006C08FD3128A0CC2A5BE63BD4AF60704F0A00F9A8008BB63C728D980C210

Uniqueness

Uniqueness Score: -1.00%

Function 00DB23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092563490.0000000000DB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db2000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997b7f278b1774fc4163daa70a78cc9ab5479650cb13d22e34b7e5daec7f25ea
Instruction ID: 26ef176c31c09096ceb1baed1d59ac34392625a8d03b76fd78dfa451dc4bd79f
Opcode Fuzzy Hash: 997b7f278b1774fc4163daa70a78cc9ab5479650cb13d22e34b7e5daec7f25ea
Instruction Fuzzy Hash: 8CD05E352002818BC715DA0DC6D4FA977D4AB54B14F0A44ECAC118B762C7B8D8C0CA10

Uniqueness

Uniqueness Score: -1.00%

Function 01060DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092786318.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3970cac2513650f0972347103bad8341711cdf38536be9735043a9b2d8742d56
Instruction ID: 3a390b76455b80d3935f34592ddaafb539ae907061b8cbbc5d6f6d95d1d9d005
Opcode Fuzzy Hash: 3970cac2513650f0972347103bad8341711cdf38536be9735043a9b2d8742d56
Instruction Fuzzy Hash: 73C012303402048FD704BB78D819A2577DA97D0304F45C064A5494B269CA74EC40C684

Uniqueness

Uniqueness Score: -1.00%

Function 01060E18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092786318.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf6c0a47b42c11225e1e2b2d6cab58277f090e957b27c57ebef97034c3194eb
Instruction ID: b22ca04b2692890f0c71024a28ec10055f99e6cffb812896c3a7f40cdf682805
Opcode Fuzzy Hash: 3bf6c0a47b42c11225e1e2b2d6cab58277f090e957b27c57ebef97034c3194eb
Instruction Fuzzy Hash: BDC012313402048FD748B778D919A2977D997D4304F84C06465484B269CA74EC40C644

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AI.Gemini Ultra For PC V1.0.1.rar

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: unarchiver.exePID: 6900, Parent PID: 2580

General

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Other File Operations

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Sections loaded by Program

Registry Activities

Key Opened

Key Value Queried

Key Monitored

Windows Analysis Report
AI.Gemini Ultra For PC V1.0.1.rar