Edit tour

Windows Analysis Report
Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.zip

Overview

General Information

Sample name:	Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.zip renamed because original name is a hash value
Original sample name:	Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.Appx
Analysis ID:	1393030
MD5:	21de135a5ac9248d0683da5b7b08f4db
SHA1:	fc358891923a5c9c31398fecfc600ecb1b992014
SHA256:	7ba6ea7bc32cd58b7e0683da588796086accfb74efb7a3e525e9f8014d2ad663
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Drops PE files

Drops certificate files (DER)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Tries to load missing DLLs

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may be VM or Sandbox-aware, try analysis on a native machine

Process Tree

System is w10x64

unarchiver.exe (PID: 1100 cmdline: C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.zip MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 1312 cmdline: C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx" "C:\Users\user\Desktop\Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 3468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

• Compliance
• E-Banking Fraud
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\vccorlib140_app.i386.pdb source: vccorlib140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\msvcp140_atomic_wait_app.i386.pdb source: msvcp140_atomic_wait_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\msvcp140_app.i386.pdb source: msvcp140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\concrt140_app.i386.pdbGCTL source: concrt140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\msvcp140_2_app.i386.pdbGCTL source: msvcp140_2_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\vcomp140_app.i386.pdb source: vcomp140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\msvcp140_1_app.i386.pdbGCTL source: msvcp140_1_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\msvcp140_codecvt_ids_app.i386.pdb source: msvcp140_codecvt_ids_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\msvcp140_atomic_wait_app.i386.pdbGCTL source: msvcp140_atomic_wait_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\msvcp140_codecvt_ids_app.i386.pdbGCTL source: msvcp140_codecvt_ids_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\vcamp140_app.i386.pdb source: vcamp140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\vcruntime140_app.i386.pdb source: vcruntime140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\concrt140_app.i386.pdb source: concrt140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\vcruntime140_app.i386.pdbGCTL source: vcruntime140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\msvcp140_2_app.i386.pdb source: msvcp140_2_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\vccorlib140_app.i386.pdbGCTL source: vccorlib140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\vcamp140_app.i386.pdbGCTL source: vcamp140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\vcomp140_app.i386.pdbGCTL source: vcomp140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\msvcp140_app.i386.pdbGCTL source: msvcp140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\msvcp140_1_app.i386.pdb source: msvcp140_1_app.dll.2.dr

Source: C:\Windows\SysWOW64\7za.exe

File created: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\AppxMetadata\CodeIntegrity.cat

Jump to dropped file

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: classification engine

Classification label: clean4.winZIP@4/17@0/0

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3468:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.zip
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx" "C:\Users\user\Desktop\Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.zip
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx" "C:\Users\user\Desktop\Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.zip	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\vccorlib140_app.i386.pdb source: vccorlib140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\msvcp140_atomic_wait_app.i386.pdb source: msvcp140_atomic_wait_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\msvcp140_app.i386.pdb source: msvcp140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\concrt140_app.i386.pdbGCTL source: concrt140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\msvcp140_2_app.i386.pdbGCTL source: msvcp140_2_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\vcomp140_app.i386.pdb source: vcomp140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\msvcp140_1_app.i386.pdbGCTL source: msvcp140_1_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\msvcp140_codecvt_ids_app.i386.pdb source: msvcp140_codecvt_ids_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\msvcp140_atomic_wait_app.i386.pdbGCTL source: msvcp140_atomic_wait_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\msvcp140_codecvt_ids_app.i386.pdbGCTL source: msvcp140_codecvt_ids_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\vcamp140_app.i386.pdb source: vcamp140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\vcruntime140_app.i386.pdb source: vcruntime140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\concrt140_app.i386.pdb source: concrt140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\vcruntime140_app.i386.pdbGCTL source: vcruntime140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\msvcp140_2_app.i386.pdb source: msvcp140_2_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\vccorlib140_app.i386.pdbGCTL source: vccorlib140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\vcamp140_app.i386.pdbGCTL source: vcamp140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\vcomp140_app.i386.pdbGCTL source: vcomp140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\msvcp140_app.i386.pdbGCTL source: msvcp140_app.dll.2.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\app\\msvcp140_1_app.i386.pdb source: msvcp140_1_app.dll.2.dr

Source: vcomp140_app.dll.2.dr

Static PE information: 0x72E84CC8 [Sun Feb 2 19:23:52 2031 UTC]

Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_atomic_wait_app.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\vccorlib140_app.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\vcamp140_app.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\vcruntime140_app.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_1_app.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\concrt140_app.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_2_app.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\vcomp140_app.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_app.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_codecvt_ids_app.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 1240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 4EB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_atomic_wait_app.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\vccorlib140_app.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\vcamp140_app.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_1_app.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\vcruntime140_app.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\concrt140_app.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_2_app.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\vcomp140_app.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_app.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_codecvt_ids_app.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5520

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_00FDB286 GetSystemInfo,

0_2_00FDB286

Source: C:\Windows\SysWOW64\unarchiver.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx" "C:\Users\user\Desktop\Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.zip

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	32 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	32 Virtualization/Sandbox Evasion	LSASS Memory	3 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.zip	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\concrt140_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_1_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_2_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_atomic_wait_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_codecvt_ids_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\vcamp140_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\vccorlib140_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\vcomp140_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\vcruntime140_app.dll	0%	ReversingLabs

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1393030
Start date and time:	2024-02-15 18:02:55 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.zip renamed because original name is a hash value
Original Sample Name:	Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.Appx
Detection:	CLEAN
Classification:	clean4.winZIP@4/17@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 45 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.zip

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (3861), with CRLF line terminators
Category:	dropped
Size (bytes):	3917
Entropy (8bit):	5.883035645303162
Encrypted:	false
SSDEEP:	96:aLVTLi+LOve98bpOdnZW4iKVP7BIk2OgONyxCdFfWMaKeQCfocYjVOsfesji:2Hi+ceebp4nw3KVP7BIk23SyodFf9aKK
MD5:	B5AB48174AC1E50636F676D78AC60885
SHA1:	C6FB64202419F79AA1860332FBA2B661170DEDE9
SHA-256:	16159C2589807F531084BBAE3666F3357A815C0F71F25E830C5A7784BCE1CA26
SHA-512:	94968DBD2E81EE68DEA7E4D0B1E91D887E40FCE8932C94F1166206216327D235217C2504299BA9C20C632BB9185C1C97778329412ED1FF095D15E6C58598B260
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="no"?>..<BlockMap xmlns="http://schemas.microsoft.com/appx/2010/blockmap" xmlns:b4="http://schemas.microsoft.com/appx/2021/blockmap" IgnorableNamespaces="b4" HashMethod="http://www.w3.org/2001/04/xmlenc#sha256"><File Name="concrt140_app.dll" Size="238112" LfhSize="47"><Block Hash="dR0AnjPLKkm4newUD4e12zk+H7zUuAaoBb9klI5ISUs=" Size="29168"/><Block Hash="iG6C9Qvdigqw9c2otNKEtzSziqQ6vr1/37V3ZMBdViE=" Size="37835"/><Block Hash="f7T5wP2CDBYtOi//SVgHYQjc5+CW2rP8Tqmh+FPzkBY=" Size="27349"/><Block Hash="hVBIStGUvMCb+Bx/zU6yUdvywp/tVj/0LjNzakhxFFI=" Size="21017"/><b4:FileHash Hash="UvYQGk5xeyw9mB34F3lxfMogEmY6XWeVGJT0mWaFU+A="/></File><File Name="logo.png" Size="426" LfhSize="38"><Block Hash="2oWRAS5k1w0jIAZdObkhzqs6dAAvJ29bcFJHhRjE8zE="/></File><File Name="msvcp140_1_app.dll" Size="22840" LfhSize="48"><Block Hash="iRYCVnaDol78CWIDRGWRzzkj2EuzHZSmQsIRXZ0xvLo=" Size="12806"/></File><File Name="msvcp140_2_app.dll" Size="241856" LfhSize="48"><Block H

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\AppxManifest.xml

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (319), with CRLF line terminators
Category:	dropped
Size (bytes):	1266
Entropy (8bit):	5.353407091365893
Encrypted:	false
SSDEEP:	24:Jdjl4+AA+AN/+K+tTzIj+ENgPYzDfDJCIUT4XbJ14PUrrw3x4RvPUZHShNfitFfY:3jRATANmtxz2+ENgADfDJGT4rJ14PeWo
MD5:	C4899274436EDB5A4B2BB415077CC26E
SHA1:	915D3B714DDD4989341328F210E6FCE246B530CF
SHA-256:	A340A8576FC77ABAA6980A6E2910EB508FC8EB40601CD5C31EAFC725EBDD44B8
SHA-512:	4608FBD0065A07718ACCAFFE9DC7C7C5A9B8D4613729A7540E043360F05F1F28D5664B7D95B24D0BF65F9CF262C66DD1F23C02FDF208D00A835D63890E7395DA
Malicious:	false
Reputation:	low
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<Package xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10" xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10" xmlns:build="http://schemas.microsoft.com/developer/appx/2015/build" xmlns:mp="http://schemas.microsoft.com/appx/2014/phone/manifest" IgnorableNamespaces="uap build mp">.. <Identity Name="Microsoft.VCLibs.140.00" ProcessorArchitecture="x86" Publisher="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" Version="14.0.33519.0" />.. <mp:PhoneIdentity PhoneProductId="938c94d3-76d8-49d2-8524-dd6e4581ff3a" PhonePublisherId="a8099e80-050d-411d-9b45-4ea107a7be6b" />.. <Properties>.. <Framework>true</Framework>.. <DisplayName>Microsoft Visual C++ 2015 UWP Runtime Package</DisplayName>.. <PublisherDisplayName>Microsoft Platform Extensions</PublisherDisplayName>.. <Description>Microsoft Visual C++ 2015 UWP Runtime support for native applications</Description>..

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\AppxMetadata\CodeIntegrity.cat

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	data
Category:	dropped
Size (bytes):	13920
Entropy (8bit):	7.468121871891257
Encrypted:	false
SSDEEP:	384:MeBQIa8MFi3g9h1RcvBxEfU/EtHNsAR9z2Zc:MYQ5jRWBWUyts89zEc
MD5:	D50D4C943A29018E1F025BFF642EE460
SHA1:	BF1752CBC750F7D0BC355ECBC77F092B36CCD250
SHA-256:	65CCA5143E7488DD22C28A8EB3CDCA6D8CA42BF52F06944E34E6F335B9532ADE
SHA-512:	0D67CA61E9A77312C666B66060A08DE12B63DEC501ECD0888DDD92E2619ABF614939B0F9FABF834BCF0E747AA9024A245426B8940830FFDF336644CE1B962784
Malicious:	false
Reputation:	low
Preview:	0.6\...H........6M0.6I...1.0...`.H.e......0..6..+.....7.....'0..#0...+.....7.....7.C....D..A.k.<Z..240129192937Z0...+.....7.....0...0... ....7..M..o+.%.<...o._...z..,nI1q0...+.....7...1...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ....7..M..o+.%.<...o._...z..,nI0... ...y. ..jA&. ..X.....7...s...zxP1q0...+.....7...1...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ...y. ..jA&. ..X.....7...s...zxP0..4ui.7.n.g.$.......1.0...+.....7...1...0..9.S..$^.\|-..c...-...1.0...+.....7...1...0..<....qM..C.........H1.0...+.....7...1...0... L.kx....%.......<y..m...vW....1q0...+.....7...1...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... L.kx....%.......<y..m...vW....0..b.w...$X..i...a?...1.0...+.....7...1...0... jJ..@...aj...,.........n.B1q0...+.....7...1...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... jJ..@...aj...,.........n.B0... sb}.0...^P....9` ....;?j...(k.D1q0...+.....7...1...0]..+.....7...1O0M0...+...

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\AppxSignature.p7x

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	data
Category:	dropped
Size (bytes):	12103
Entropy (8bit):	7.532293471634435
Encrypted:	false
SSDEEP:	192:0zQ8pZakTMFiJFg9h11zcvBnxEfezx1BI8HNsAX01k9z3AqmZNqggU:eQIa8MFi3g9h1RcvBxEfgxLtHNsAR9zE
MD5:	026915E804FFB968054B02E0DD6359A4
SHA1:	0C8F2030F40583597DA60665F21493BCB5B7A3A9
SHA-256:	BC36A2BFFAA4CAD37251DAEF29FD90BABFFC268B9D4FF64BB754989B74696D33
SHA-512:	F5C7985C8ED0E0EB4591747E2D8CE259AD1A8226F8B10B4B09D8B38372CAB761E6F44FF83544FB39C5A6DD8DB3527630B2FEC95D26C9DFB6F5157FCDC37D8221
Malicious:	false
Reputation:	low
Preview:	PKCX0./?...H......../00./,...1.0...`.H.e......0.....+.....7.......0...05..+.....7...0'........K......M.n#.9..................0..0...`.H.e.........APPXAXPCh.k1n-<].....}.:BJ....${Y.T.tD.AXCDw....#.....(.o]..FY..icw.4L.w.dAXCTf...J...@......Yo...K..#."w.AXBM...%...S....6f.5z.\.q.^..Zw....&AXCIe..>t..".....m..+./..N4..5.S...?0..y0..a.......3.8.....lt..y...8..0....H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....EOC1'0%..U....Microsoft Marketplace CA G 0280...240129191923Z..240201191923Z0t1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Corporation0.."0....H.............0.........{..2. ...8-.D/....u.....A...A5\...K...O.J.b."..R9$.......B-.!{.?7O\|......q....!...]..>LB.*.M.`.qX.#u0..?..R....d..........((.!....}."\>.r5t..u....+..M.D.o.='.1q....{......-..;.6.{...=..Z.mV{.]:u...........+.!8v....Q.S...........'.[...J...9b{x.............0...0...U.%....$0"..+.....

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\[Content_Types].xml

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (553), with CRLF line terminators
Category:	dropped
Size (bytes):	610
Entropy (8bit):	4.981731155277698
Encrypted:	false
SSDEEP:	12:TMHdt266fY4cufY94Jef/Hfb2bqDfbqbqF8LfblbqQ0fbNJzc:2dtp6fYyU22/q2mXl2QAk
MD5:	FE3425FF68F8A510322A40A0BDF490B5
SHA1:	20B31584C7128E3EE9B566953175F5EF03CD0BE8
SHA-256:	6695CE88024A05FD8E40ECCFE286DF8DBBC8AC596FA4B28A4BDE0123192277A7
SHA-512:	02CEA7FB3766236E2B400AA46E5425735ED2D40E1D0E64663B9BE76132E56AA3732A13636BB8E9E0DCE77A7877F5FEF3CF3C2C2939DA1898508FC4D0C7F6B1F5
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="dll" ContentType="application/x-msdownload"/><Default Extension="png" ContentType="image/png"/><Default Extension="xml" ContentType="application/vnd.ms-appx.manifest+xml"/><Override PartName="/AppxBlockMap.xml" ContentType="application/vnd.ms-appx.blockmap+xml"/><Override PartName="/AppxSignature.p7x" ContentType="application/vnd.ms-appx.signature"/><Override PartName="/AppxMetadata/CodeIntegrity.cat" ContentType="application/vnd.ms-pkiseccat"/></Types>

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\concrt140_app.dll

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	238112
Entropy (8bit):	6.618098226597798
Encrypted:	false
SSDEEP:	6144:Wm/MxlPK7TVtEug1Vmt8nv7y6fs9IyHRU30yPmXspIw/88RSux6D12z/VoESioeE:j8XzfCUkRBw/6ux9znSrL
MD5:	78CE4ABB272C079FC55C040B5C86632F
SHA1:	99CA1FDFCD21823C2F7560AADC6BB28EE5F84149
SHA-256:	52F6101A4E717B2C3D981DF81779717CCA2012663A5D67951894F499668553E0
SHA-512:	6940BA75C40CB1A1350FAB14C01959873BF56D734B0F9AE6E3015F1CA7B59DA2FF95FD492203273FBBF4F0650B879D4FDC2487DCFDC2895992A77DA05757772F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{.l.(.l.(.l.(..g(.l.(5..).l.(.l.(.l.(5..).l.(5..).l.(5..).l.(5..).l.(5..(.l.(5..).l.(Rich.l.(........................PE..L...y.V;.........."!...'.....v......Py....................................................@Q.............................K...Q.......p...............r.. 0.......(...:..T............................:...............P...............................text...P........................... ..`.data....4.......2..................@....idata.......P.......2..............@..@.rsrc........p.......D..............@..@.reloc...(.......*...H..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\logo.png

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	426
Entropy (8bit):	7.241494576863163
Encrypted:	false
SSDEEP:	6:6v/lhPahmTfzsXZMhyUE5Wmtpz7B+CiWiPwA/KCFq4I8xwt9lOw4h8hwJ25wgCp4:6v/7xAZMg5WmPz7B+hlI+ZkOw6p2ug1
MD5:	5E369B22824C11DE956BA55DBBF33906
SHA1:	62FC5D2CFE520B4BC6AB543A9256D7A88D3B8D5D
SHA-256:	DA8591012E64D70D2320065D39B921CEAB3A74002F276F5B7052478518C4F331
SHA-512:	266EDB9719E7AE85FC7F12956963D97EFE8AAB3F7FC0D74508AF6F26D9C9D438D4C6016721ED2AF52F5AC50BBD6CFEB56F1284C2347C61218BF566B3C6AEFCCF
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+.....\IDATx^..1H.@...+..H.'......".....7Q\,8EP\..$.Zh..N..NR.....n............~..1...-.......)......R.....YC6!.w..X.e....!. ..\{.V..:..`^...L..'......5e.st.Y!...`..q..'..TA.....G.a.W.#......b......g...e...@/-..3H...J,.!b.....P..N.l..j.....sqw.........?.h......%.....[i.....]...k,.M[..@..K.JT..F.C.m{].....{#)%V..^'Z..F.......(.-......y+X....F.mrsOQ....IEND.B`.

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_1_app.dll

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22840
Entropy (8bit):	6.4974206019398775
Encrypted:	false
SSDEEP:	384:qhbI99u3JojthPAXSEaWcnGWRTanFtX9g1EWb+NNPR9zKTusV:lk3Ghut20npCEkq9zwV
MD5:	3355094D0A356BEE95ADDB0572ED21ED
SHA1:	93F188EBB74D4E5BDC1D939227BE41A258827EAC
SHA-256:	891602567683A25EFC096203446591CF3923D84BB31D94A642C2115D9D31BCBA
SHA-512:	00655D512B9C0682D95F53FA68C3C511420DCE0008FA7AEC5ABA33C6C58E4DF5AC22DA683FAD025ED754145B5AE928480834062DB1D290F61CF311A7A02BA3D7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..............E.....T.....T...........T.....T.....T.....T).....T....Rich...................PE..L...(............."!...'.....................0...............................p......F.....@Q.........................'..N....@.......P...............0..8)...`.. .......T...........................X................@...............................text............................... ..`.data........0......................@....idata.......@......."..............@..@.rsrc........P.......(..............@..@.reloc.. ....`.......,..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_2_app.dll

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	241856
Entropy (8bit):	6.748647709604506
Encrypted:	false
SSDEEP:	6144:St/x5zxHdwmhHcwHZ3uOwM3K02dVCOsoRTp9YZS0C9kWWuc0yxEp:exHhhHTHduBMa0OsoRTpyZu9kWU0zp
MD5:	71287113063090890998DAEAB02F1492
SHA1:	210E6DE17FAF210B16A1B3CB6D653812FEAE6921
SHA-256:	4399C9D97BD9C939FCDD9F3947BA0FE1076B6BB6D00321213D28B497ADD77223
SHA-512:	6EA47AB85B2AE0828A29192D3197344BD9220D0210CDF317550FB16F6ACC61A54C63DB22F04B43824DD1CEDAF3547F653727964783C679F1BA79EC9A3BEB31C9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M..[.d...d...d.... ..d......d......d...d..Vd......d......d......d....L..d......d..Rich.d..................PE..L................"!...'.....~............... ......................................f.....@Q........................0...D....Q..,....`...................0...p..dA...N..T........................... N...............P...............................text...t........................... ..`.data...L&... ...$..................@....idata.......P.....................@..@.rsrc........`.......:..............@..@.reloc..dA...p...B...>..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_app.dll

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	439640
Entropy (8bit):	6.669083576952026
Encrypted:	false
SSDEEP:	12288:tc8W4YMOIznZlfWKo18SVn2dpbhUgiW6QR7t5s03Ooc8dHkC2esK82X3QoQ:thYMOIznZAKo18Sodm03Ooc8dHkC2ene
MD5:	DE8A460B6748276061E93424045C5085
SHA1:	0FC32F13957613F74B6BD782B023918E0F344B77
SHA-256:	35775D3A21C56FC5FFE602868C2F39704B7D967F6E3689993B80781572F00711
SHA-512:	E7AFFCED7F284F04BEDBBD8D4765E2E747E445D3386F4C92AC314846DA1D8BD98AFE87B62DDA9A7DD207EB504EBEA372B9EF16AE51FC2E7A91938992660B2293
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........S..=..=..=.....=.2.<..=..<.\.=.2.9...=.2.>...=.2.8.}.=.2.=..=.2...=.2.?..=.Rich.=.........PE..L....~X..........."!...'.....\|............... ......................................./....@Q.........................O..W...0S.......p...............~..X7.......4..XU..T............................T...............P..(............................text...'........................... ..`.data...\|&... ......................@....idata.......P.......*..............@..@.rsrc........p.......D..............@..@.reloc...4.......6...H..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_atomic_wait_app.dll

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35128
Entropy (8bit):	6.5785921081364895
Encrypted:	false
SSDEEP:	768:6+5+wdeKh9nZj+CjAReFALKWKyRnpCcl8hYg69zz:66+wdek9dljceFALKv+P8yrzz
MD5:	DF1F8D9A4FC4B2455E92CA986880C316
SHA1:	24E357AB376FE0826FAA020F33FFFBC876676791
SHA-256:	E1C262CCA7EC5F23CC331CE9DD70E7ABE238B448F647A729093F8333C943C04E
SHA-512:	B96209E8AC7AEC845B83F27FDC06E63851CF884EC22CC8EDBEBD99BEF524A412CFA2984B7EED29D22C29AA386ED8922A21D1348C1D94EEE25DEE5EE5A7D9EF0E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z.D..s,.s,.s,...,2s,...-.s,..)-.s,.s+,Is,..+-.s,../-.s,..-.s,...,.s,..(-.s,Rich.s,........PE..L......`.........."!...'.D...........A.......`............................... ......[.....@Q........................@M..H...,...h....................`..8)..........0...T...........................p...................$............................text....B.......D.................. ..`.data...<....`.......H..............@....idata...............J..............@..@.rsrc................V..............@..@.reloc...............\..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_codecvt_ids_app.dll

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20176
Entropy (8bit):	6.4294651808848595
Encrypted:	false
SSDEEP:	384:Qk7G3WseAcOJMjjrEVWiXiWy7nFtX9g1cswqY/6fR9zzEeW:P/OkYBe7npCcc/9zM
MD5:	8095595C4BE5290B3B6706DECE6186E5
SHA1:	433AA9C59C685B81065F45C11E130A43EF909C05
SHA-256:	88FDC721B71CA3DA41B0FD645BB7822EB713CA9600860C2C135AC383C09ECA19
SHA-512:	F35C18B573AE704F36E0288E71C019B45F96B26AEDEF0254C0DE22B1AE5993D4856988B700737AFF62DEDE6F9CAD4C3B0D32840D7174BBF85CD61E85EA5A5B1D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L..).y.z.y.z.y.z...z.y.z...{.y.z.y.z.y.z...{.y.z...{.y.z...{.y.z...{.y.z..lz.y.z...{.y.zRich.y.z........PE..L...y5............"!...'.....................0...............................p......8X....@Q............................3...l@.......P...............&...(...`..........T...........................H................@..d............................text............................... ..`.data........0......................@....idata..8....@......................@..@.rsrc........P......................@..@.reloc.......`.......$..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\vcamp140_app.dll

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	347040
Entropy (8bit):	6.452306381955334
Encrypted:	false
SSDEEP:	6144:WLde6cD4ujbaOB6IUF04I/L6DTzxu2jeRQSLDfNpw3RLtRjQ9xf:hhsu3kWX6f9useukh4RLtRjQ9V
MD5:	C8B63977B50A68B8DCA06D6CCE61F831
SHA1:	21E6241795EF682B07B2BE1E07C5378C99D32B56
SHA-256:	7F66C5EACC5323B0FF262D4CDEA1ADB75455A9EE9BAC55E4DA8DEBA757AFE7B9
SHA-512:	E69319C4106987DDCBA8768263C7F2655D0CA6E0D3D910D0BFDC651B2A2AA3CDBF33F36C8B47E2A2C9C7086EF4CD170207E756647E5FEB55EDBA6FEA25D741FA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.a.>.2.>.2.>.2.L.3.>.2.F92.>.2...3.>.2.>.2.>.2...3.>.2...3.>.2...3.>.2...3.>.2...3.>.2..U2.>.2.>=2.>.2...3.>.2Rich.>.2........PE..L...Bt.Y.........."!...'.p..........P........................................@............@Q.........................H..87..L...........8$...............3......D<...e..T....................f.......d..................D............................text....o.......p.................. ..`.data...<+.......(...t..............@....idata.."...........................@..@.rsrc...8$.......&..................@..@.reloc..D<.......>..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\vccorlib140_app.dll

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	273728
Entropy (8bit):	6.554132849934548
Encrypted:	false
SSDEEP:	3072:wzRTU8caSFKPExgbXBXMAgS4WMwNZuQRcqZBD16rhDRnEL5RkPHoTRg2iaBbGwxe:Ta5IyXu1wzuQhRBSbbhrj
MD5:	D67248D995BADFD6279FAA5A39F810E5
SHA1:	5CBBDFE9D28E93A5CA91A699F934B63BEA614004
SHA-256:	EE3899BA4C916E88ABBE98ED0BD98FFB5B46F3B072E3FDC01BC9AC46D80E0136
SHA-512:	DE75AF1086FB10847B6F0FFC0EEBCBAADF27AE2D2D628FC61676CD1B7EFB97BB9398CC2251859621BD985053101B0B16B31AD202E2BA910EBF34F1ED2D462F4B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+m..o..Xo..Xo..Xft.XA..X...Yj..Xo..X...X...Yv..X...Yd..X...Yj..X...Y~..X...Yn..X..lXn..X...Yn..XRicho..X........................PE..L...K..O.........."!...'............ ........0...............................0.......S....@Q........................0....=.............................@1.......X..PK..T............................J...............................................text...O........................... ..`.data....n...0...l... ..............@....idata..............................@..@.rsrc...............................@..@.reloc...X.......Z..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\vcomp140_app.dll

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54256
Entropy (8bit):	6.720711859933193
Encrypted:	false
SSDEEP:	1536:9XtNxZ1jb5M4yrPfWmQb+LSCxpwYdw/mwezy:xtNxDjpAxpwYS/mHu
MD5:	08706B9A202FA5B75FEB2FA8307C07AD
SHA1:	0812CFAC5CE070EB9681DF4F2AD43FFF1739CF9F
SHA-256:	B065C21F34F90CEA54D094629693ABBCF622C7AD03809114CFEF91349C8809A7
SHA-512:	0F10B3178D6DE515156F1AEC7C10C01AB477029F7777AA770B5137EE7C76B6BB03A3CC2532E3DC8628498A0384D7E6BE91721CA3BD450FDD860DF77910BA02BC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................V....{\|..........{\|.....{\|.....{\|....{\|....{\|....{\|:....{\|....Rich...........PE..L....L.r.........."!...'.............g..............................................K.....@.............................................................)......L...h...T............................................................................text...)........................... ..`.data...X...........................@....idata..f...........................@..@.rsrc...............................@..@.reloc..L...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\vcruntime140_app.dll

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80584
Entropy (8bit):	6.7905559754169325
Encrypted:	false
SSDEEP:	1536:upnmwd+O9WOCGYJe2NBObxuFGtREvHz3BFv19ecb0dZNDiORfz:onySWOE4UmU+EPzjecb0fNDHl
MD5:	BACD42F652DF6CE399656E4BCB00C5D1
SHA1:	BF49C26FE98EF8EB03A4F08C8C1EEDD505FA1917
SHA-256:	F45DC2F9AB9040D641D54CD7BFB08C98CBC33D0F81B4613FE73B91AEDE1F48FD
SHA-512:	FB1C0158186C7A7371CF422A7CCEAC6F1BECB76B1ABA104E6924D50827F1DC2E140292844967ECE042D7900DA4DF4D0833347186E18D37E70C6D5DA9C39A42E4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1r}.P...P...P...(..6P...P...P...../.P...../.P...../.P...../.P.......P...../.P..Rich.P..........................PE..L.....?h.........."!...'..... ...............................................P......lm....@Q................................. ..T....0...................*...@.......#..T............................"............... ...............................text............................... ..`.data...D...........................@....idata..>.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\unarchiver.log

Download File

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3071
Entropy (8bit):	5.29013129911058
Encrypted:	false
SSDEEP:	48:uDA+gGVjGbZGVjGpTjGRGVjGptA4GbrGuA4GBGxGLGe4GVjG4GVjG9GXG6XfZdpt:uDTfAnaEJuxIVpXL5
MD5:	34973953AE28E129BABC1A7387DEAAF4
SHA1:	C1A832B4344256FEADF7D9C293CBE7C6751F6110
SHA-256:	E21A2A00771054AE8572DEFAF8A5C6F0356A353DB779E727339D1CCA689CCA7D
SHA-512:	4FAAF6C9EBF7C8EA0BE18B5F13FC4B4B6BFB05E0E007AA4F50E4D7137A05ADD73147830A5A1C01D131C9E63F7D18E5976D3CF52D162F00F7FA01237D7439617A
Malicious:	false
Preview:	02/15/2024 6:03 PM: Unpack: C:\Users\user\Desktop\Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.zip..02/15/2024 6:03 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx..02/15/2024 6:03 PM: Received from standard out: ..02/15/2024 6:03 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..02/15/2024 6:03 PM: Received from standard out: ..02/15/2024 6:03 PM: Received from standard out: Scanning the drive for archives:..02/15/2024 6:03 PM: Received from standard out: 1 file, 758544 bytes (741 KiB)..02/15/2024 6:03 PM: Received from standard out: ..02/15/2024 6:03 PM: Received from standard out: Extracting archive: C:\Users\user\Desktop\Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.zip..02/15/2024 6:03 PM: Received from standard out: --..02/15/2024 6:03 PM: Received from standard out: Path = C:\Users\user\Desktop\Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.zip..02/15/2024 6:03 PM: Re

Static File Info

General

File type:	Zip archive data, at least v4.5 to extract, compression method=deflate
Entropy (8bit):	7.99746165807975
TrID:	ZIP compressed archive (8000/1) 99.91% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
File name:	Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.zip
File size:	758'544 bytes
MD5:	21de135a5ac9248d0683da5b7b08f4db
SHA1:	fc358891923a5c9c31398fecfc600ecb1b992014
SHA256:	7ba6ea7bc32cd58b7e0683da588796086accfb74efb7a3e525e9f8014d2ad663
SHA512:	8729cfca45f31f8a2c45bbc689c1b0443ab8e25b8696542794dc1e50a9bb9c8e0afb8588fc1f3f34b9d1cd7154c3b8c3f2386cfefce1ff11c0b5d1d482792c55
SSDEEP:	12288:rTdeDUqXwXDNF/SVOA8FUzR9wADhaNl2OP615VzojrHxq+JO5wGAiZ5erV432L:FMBYNFiv9wA9gst56M+o5wGdurqo
TLSH:	7AF423A289796FC8D45D09B52B39EC5A73310C7563E40767F81E19BEDC26ECC9F82980
File Content Preview:	PK..-.......=X................concrt140_app.dll.}{\TU...a.QQOJIe5..............hr.P ..f.}.`.m:NR..YYQYYZQiQZ..........,.A5&..5...9..s....}.}..=k..{.......fH....0.....X..>fv..i...o.f...8.N7.....E.&ky..........2.iF...^j**5...b.]._0.W......{=..S%m.>..6+.+\|..

File Icon


Icon Hash:	90cececece8e8eb0

• unarchiver.exe
• 7za.exe
• conhost.exe

Click to jump to process

Memory Usage

• unarchiver.exe
• 7za.exe
• conhost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	18:03:47
Start date:	15/02/2024
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.zip
Imagebase:	0x8f0000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:03:47
Start date:	15/02/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx" "C:\Users\user\Desktop\Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.zip
Imagebase:	0x90000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:03:47
Start date:	15/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	20.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5%
Total number of Nodes:	80
Total number of Limit Nodes:	5

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00FDB286 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 00FDB2B8

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: c0e624df25b9b28720ac89ba3c9e4ab5edc98b15d2ec046cbf053a8546b85e32
Instruction ID: dd895dc694f99cb57a95bf261ac2a316db09a24ddf7762cb87c15d0205e7e454
Opcode Fuzzy Hash: c0e624df25b9b28720ac89ba3c9e4ab5edc98b15d2ec046cbf053a8546b85e32
Instruction Fuzzy Hash: 70018B72804240CFEB10CF16D984B69FBE4EF04321F09C4AADD488F346D379A414DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 050B0799 Relevance: 4.0, Strings: 3, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@Tl, xrefs: 050B08B5
:@Tl, xrefs: 050B0822
\O{l, xrefs: 050B0966

Memory Dump Source

Source File: 00000000.00000002.1222943704.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_unarchiver.jbxd

Similarity

API ID:
String ID: :@Tl$:@Tl$\O{l
API String ID: 0-1248805932
Opcode ID: 8be138126f5077c744420aa4a30afe5b716b59c3a25a2bfb8ac69396729da9b4
Instruction ID: 2c55e36be7cee6b5342a34ee0d586babb833801a8e345629784edcc61d91d28c
Opcode Fuzzy Hash: 8be138126f5077c744420aa4a30afe5b716b59c3a25a2bfb8ac69396729da9b4
Instruction Fuzzy Hash: 79A16030B002148BEB05AB75D9A9BBF77F3AF84308F158529DA069B394DF749D42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 050B0C99 Relevance: 3.8, Strings: 3, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`3l, xrefs: 050B0D62
`3l, xrefs: 050B0D37
P5l, xrefs: 050B0CC8

Memory Dump Source

Source File: 00000000.00000002.1222943704.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_unarchiver.jbxd

Similarity

API ID:
String ID: P5l$`3l$`3l
API String ID: 0-3380955166
Opcode ID: 49bde749f4f1a404ee87641460c303b8316f2dda503c54a5c7c59f5784852ecd
Instruction ID: fce889c283469ffa89bef5e7e40fd4a3c117169e0a8b64073118c98835833e52
Opcode Fuzzy Hash: 49bde749f4f1a404ee87641460c303b8316f2dda503c54a5c7c59f5784852ecd
Instruction Fuzzy Hash: F72155307046908FC716EB3A84117AF7BD39FC6208B48846CD286DB391DF39E9068B95

Uniqueness

Uniqueness Score: -1.00%

Function 050B0CA8 Relevance: 3.8, Strings: 3, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`3l, xrefs: 050B0D62
`3l, xrefs: 050B0D37
P5l, xrefs: 050B0CC8

Memory Dump Source

Source File: 00000000.00000002.1222943704.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_unarchiver.jbxd

Similarity

API ID:
String ID: P5l$`3l$`3l
API String ID: 0-3380955166
Opcode ID: 4428fe166b49a21d0f1f5501927f8b43b6b3a257db4a09d99675c7e82d724d45
Instruction ID: a5710f4d61f31e5382e96287de338f74956038841147863b02a32a6c674f6d05
Opcode Fuzzy Hash: 4428fe166b49a21d0f1f5501927f8b43b6b3a257db4a09d99675c7e82d724d45
Instruction Fuzzy Hash: 942121307006148BC715EB3A88517AFB7E7AFC5208B84883CD246DB781DF79E9068B95

Uniqueness

Uniqueness Score: -1.00%

Function 00FDB2F6 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00FDB3A3

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6b7f481e434a9af5509afdf842b1e6c843d6504fd162a2dca52bc5bb65979f57
Instruction ID: 949974e17da5f57f5dcde32d853ba02faf2c472da109134a749ccc2610bc9fa2
Opcode Fuzzy Hash: 6b7f481e434a9af5509afdf842b1e6c843d6504fd162a2dca52bc5bb65979f57
Instruction Fuzzy Hash: 8F31B475408344AFEB228B61DC45FA6BFBCEF05220F05849EE985CB162D375A909DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA676 Relevance: 1.6, APIs: 1, Instructions: 101
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00FDA72D

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 461adaf8a2c4dcf80cf0433ff77921e0f7ca94654511d9a5f406ec82d3946e88
Instruction ID: 79eb4db528e984d97d2f75f01cbc4c82787ef4d1ff41b316e5af81c257c698c4
Opcode Fuzzy Hash: 461adaf8a2c4dcf80cf0433ff77921e0f7ca94654511d9a5f406ec82d3946e88
Instruction Fuzzy Hash: FF3181715093806FE712CB65DD44B62BFF8EF06324F08849AE9858B293D375E909DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00FDADB4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00FDAE57

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1e68c02afa9cf62962cfba86ab8309e5cd32075d96165904520fc7fcfeaf8af2
Instruction ID: 7d411ce3ba288142ad1ac8e2f745e2c67bcf1bc64531ed443f3b224ce92b5078
Opcode Fuzzy Hash: 1e68c02afa9cf62962cfba86ab8309e5cd32075d96165904520fc7fcfeaf8af2
Instruction Fuzzy Hash: D231B371408344AFEB228B61DC44FA7BFACEF05224F08889EF985DB152D375A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FDAC26 Relevance: 1.6, APIs: 1, Instructions: 94
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00FDACE6

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: d6c5ff7ee79f00418161927a926011218eff56899ac821851b350d56c68e5027
Instruction ID: b4f264bc243d35b97468e852334144c985a9f6dd2575f4e950bacfc1743fd794
Opcode Fuzzy Hash: d6c5ff7ee79f00418161927a926011218eff56899ac821851b350d56c68e5027
Instruction Fuzzy Hash: 70316E7250E3C06FD3138B618C65A51BFB4AF47210F1E84DBD8C4CF1A3D2696909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA120 Relevance: 1.6, APIs: 1, Instructions: 84
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00FDA1C2

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 73d1cae00156345138576bd86669f05e4d18335ac8191351f776d2cebe8afadd
Instruction ID: e165806b8c8e7ace034b07bad385459d14a98de31ab011c3a9880f9d01464a22
Opcode Fuzzy Hash: 73d1cae00156345138576bd86669f05e4d18335ac8191351f776d2cebe8afadd
Instruction Fuzzy Hash: 0E21E57140D3C06FD3128B258C51BA2BFB4EF47610F1985DBDC848F293D229A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,FFA0F466,00000000,00000000,00000000,00000000), ref: 00FDA40C

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8900446f9c0a53dc0a78f5a475ea898a0d2e4a5528850f2efac839e69c537617
Instruction ID: d3129dec4f57e1f91b4c9350e002797cc4973b6c90206265f99ffbf9b063f69b
Opcode Fuzzy Hash: 8900446f9c0a53dc0a78f5a475ea898a0d2e4a5528850f2efac839e69c537617
Instruction Fuzzy Hash: EB219F75508740AFE721CF11DC84F62BBFCEF05720F08849AE985CB292D365E908CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00FDADDA Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00FDAE57

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0228eebd4621b5d2f5fa146db0f746ba8487300aa65dc1c545e19e2ae72f33bb
Instruction ID: 7e17ddfa78c95f1f9867b77b319520065c8ed493afa3a3821f0896e024fdbe09
Opcode Fuzzy Hash: 0228eebd4621b5d2f5fa146db0f746ba8487300aa65dc1c545e19e2ae72f33bb
Instruction Fuzzy Hash: CD21F172404204AFEB21DF61DC44FABBBECEF04324F04886AEA45DB651D371E508DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00FDB326 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00FDB3A3

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0a65f881a3dbfbaf33ef465dd74206c89af73007ac5386444da97081185e8dfe
Instruction ID: 05f1f5e901bebe4f8547e57c2b8b768954f64d38177a93ee58dee40f867d115b
Opcode Fuzzy Hash: 0a65f881a3dbfbaf33ef465dd74206c89af73007ac5386444da97081185e8dfe
Instruction Fuzzy Hash: 7221C176504304EFEB21CF65DC45FABBBECEF08324F04886AEA458B251D371E5589BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA900 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,FFA0F466,00000000,00000000,00000000,00000000), ref: 00FDA98E

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 551c73b3a0e1078fefdb24856c26d95fb3af8b7d18e208fca0ebfe349aadcba8
Instruction ID: 856594a6bd5b567ac3aa1cdb9041fd6124cf17f18a8dfc46cc5f07cd5961ca81
Opcode Fuzzy Hash: 551c73b3a0e1078fefdb24856c26d95fb3af8b7d18e208fca0ebfe349aadcba8
Instruction Fuzzy Hash: 0921B6754083806FEB228B51DC44F66BFB8EF46724F0984DBE9849F153C275A909C776

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA9E3 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,FFA0F466,00000000,00000000,00000000,00000000), ref: 00FDAA71

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3634b277dea9a1e475cd938f0e608fcf2bce6d19c176c804fb36e77acd50a4ae
Instruction ID: cf46f607a1f6ca8a671b9182bdaf8971376419d7d1b2e3bf6dc388733cad7397
Opcode Fuzzy Hash: 3634b277dea9a1e475cd938f0e608fcf2bce6d19c176c804fb36e77acd50a4ae
Instruction Fuzzy Hash: 8E21A171409380AFDB22CF61DC44F66BFB8EF06310F0884DAE9849F152C275A509CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA6AE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00FDA72D

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fe3b030da3220c81e399f4a42782b63794df73f2432e2c456fd3b175205b7a0e
Instruction ID: ad4d1f3d2b4f62f63299f20ab76915ff136144f68812f70dfef430f522448e28
Opcode Fuzzy Hash: fe3b030da3220c81e399f4a42782b63794df73f2432e2c456fd3b175205b7a0e
Instruction Fuzzy Hash: 13219275504200AFEB21CF65DD45F66FBF8EF04320F08846AE9458B751D371E914DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA83F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,FFA0F466,00000000,00000000,00000000,00000000), ref: 00FDA8C5

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: c77871cab34e03b5c9acc250b96be05b983a9fcb36ea0f7883ffca7931c2fd61
Instruction ID: 1f59ce106b0b8b0f63d358686493b8c80c6ce2b5040a425489f475e07272b2b7
Opcode Fuzzy Hash: c77871cab34e03b5c9acc250b96be05b983a9fcb36ea0f7883ffca7931c2fd61
Instruction Fuzzy Hash: B021D8B540C3806FE7128B21DC44BA2BFB8DF46324F0980DBE9848B193D265A909D776

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA784 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00FDA7F8

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c30e53a46b5f3f5297c882ca3172ea7bb01eb543a88bd444b2af842888167b90
Instruction ID: b5063c12a9a00fb9c23c116e69719e077ff1ea3ac9537c680e43c4eb8ac438ad
Opcode Fuzzy Hash: c30e53a46b5f3f5297c882ca3172ea7bb01eb543a88bd444b2af842888167b90
Instruction Fuzzy Hash: B321CF759097C09FDB128B25DC95752BFB8EF07220F0D84EBDC858F2A3D2649909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FDAABB Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00FDAB3B

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: bc92886c77a2940536cb8fd15268dcc8ca28eb0bfb958d4e4ad4643e3a8ee43b
Instruction ID: 17e7bc288b70a3452afe4946378747d9165355ed69bb3b208702f74f5af07cda
Opcode Fuzzy Hash: bc92886c77a2940536cb8fd15268dcc8ca28eb0bfb958d4e4ad4643e3a8ee43b
Instruction Fuzzy Hash: 9621A1715083805FDB12CB25DC55B92BFE8AF46324F0D84EBD884CB263D264D909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,FFA0F466,00000000,00000000,00000000,00000000), ref: 00FDA40C

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d62d87fc93e85af9f3e1e9f9402009f49acab5bc88ea459c0f1cf9c41f59837c
Instruction ID: 943204bd48b149db13db99a80ecad62e2203379106a3019a41db1b61f2bf76c1
Opcode Fuzzy Hash: d62d87fc93e85af9f3e1e9f9402009f49acab5bc88ea459c0f1cf9c41f59837c
Instruction Fuzzy Hash: 0F2190765046049FEB20CF15DC84F66F7ECEF04720F08C4AAE9458B251D7B5E905DAB6

Uniqueness

Uniqueness Score: -1.00%

Function 00FDAA12 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,FFA0F466,00000000,00000000,00000000,00000000), ref: 00FDAA71

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4282bc6fdc79194c1aa0281f8fe290313efc186d86d2b6182a4a893951a90cc8
Instruction ID: f020a9184997b2f25a3173b8ad2371dff4afdc2365981be8394a189ce7e0bc41
Opcode Fuzzy Hash: 4282bc6fdc79194c1aa0281f8fe290313efc186d86d2b6182a4a893951a90cc8
Instruction Fuzzy Hash: AF11EF72408200EFEB21CF11DD44FA6FBE8EF04324F08C5AAEA458B241D379A504DBB6

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA932 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,FFA0F466,00000000,00000000,00000000,00000000), ref: 00FDA98E

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a2b1652e260840f11af7497607e5379c031228bf1daf7b5cb29758f6f6ec7950
Instruction ID: ba1be30b6396646a62ac35405cfbd1d1ddb525cd1146abfb9358d605f65d718e
Opcode Fuzzy Hash: a2b1652e260840f11af7497607e5379c031228bf1daf7b5cb29758f6f6ec7950
Instruction Fuzzy Hash: 1B11BF76408200AFEB21CF55DC44B66FBA8EF44324F18C8AAEA449B241D375A5049BB7

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00FDA30C

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 298ea6bf37c95c87fa83d4da5ced7cb27b477d7847ffd6ba79fb2b5f639a219e
Instruction ID: a557e94c4487b77107610e26b7a2ad056aed2634e0fb29ad5a6680be26eca0c6
Opcode Fuzzy Hash: 298ea6bf37c95c87fa83d4da5ced7cb27b477d7847ffd6ba79fb2b5f639a219e
Instruction Fuzzy Hash: 66119E758093C09FDB228B25DC54A52BFB5EF07220F0D80DBDD848F2A3D265A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FDAAF6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00FDAB3B

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 82cff7bad86bc36c2a7568f274bcb2dcb369dca93fafd6ea1df1a166179988b1
Instruction ID: a7b8511dcd910de29ab88bb7d3a9fdb7cbf9a58525c8336710ab77bb45b7e8bd
Opcode Fuzzy Hash: 82cff7bad86bc36c2a7568f274bcb2dcb369dca93fafd6ea1df1a166179988b1
Instruction Fuzzy Hash: 5C115B71A042409FEB10CF29D985B66BBE9EF44720F0CC4ABDD49CB352E274E845DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA872 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,FFA0F466,00000000,00000000,00000000,00000000), ref: 00FDA8C5

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: d66bdfc1f2a72f5b15ff8e15270209086252e74826ce5dd69249da3591b9f52e
Instruction ID: 9180f20ff633e74463be4bcae13d0dfc9fe7d8b7e5b1385832df20803367bddb
Opcode Fuzzy Hash: d66bdfc1f2a72f5b15ff8e15270209086252e74826ce5dd69249da3591b9f52e
Instruction Fuzzy Hash: A401D675508200AEF720CB15DC45FA6F7D8DF44724F18C09AEE059B241D375E9459AB6

Uniqueness

Uniqueness Score: -1.00%

Function 00FDB264 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 00FDB2B8

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 178fddd6634734e0dcc8944564c9d8072e921318a1d807ee054fdf444efe03bd
Instruction ID: e18d957689c8d95c41b9c1af4e12368d90d930c810f034bca55f19f84e8f5caa
Opcode Fuzzy Hash: 178fddd6634734e0dcc8944564c9d8072e921318a1d807ee054fdf444efe03bd
Instruction Fuzzy Hash: 8A1170718093809FDB12CF15DD94B56BFB4DF46220F0984EBED848F252D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA5DC Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,?), ref: 00FDA636

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 4c1f5a595886502b1aa41a27b6bb2d0a301e15e344e7522cb01491c7ba4ca524
Instruction ID: 4f4d440e9320cfd63a087af697f430cd7898ee29dfef704d8c52f0808933b876
Opcode Fuzzy Hash: 4c1f5a595886502b1aa41a27b6bb2d0a301e15e344e7522cb01491c7ba4ca524
Instruction Fuzzy Hash: 4C116D714093809FDB21CF65DC44B52FFA4EF06220F0D84EAE9848B262D275A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FDB03B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00FDB094

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 5016c483afb3366e3eab93bab13d5a133ed1b7661b07e61abd4f9eaa1e8676fd
Instruction ID: 20ed2774fdf5029dcd2440fb80ef711515435b10290156e2afa8ca48c55be79d
Opcode Fuzzy Hash: 5016c483afb3366e3eab93bab13d5a133ed1b7661b07e61abd4f9eaa1e8676fd
Instruction Fuzzy Hash: E6115E755093809FDB128F25DC49B56BFF4EF06220F0984DBED858B262D365A848DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00FDA1C2

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: b4744b6e0c5fa3e2d2bed57620f7fdea57350a4a472ed537d8ebae755099f7ef
Instruction ID: 20635006be3229f4e3aac7e9c9b1d1d1c4efadfa5dd2222d4fc868d5ed790bad
Opcode Fuzzy Hash: b4744b6e0c5fa3e2d2bed57620f7fdea57350a4a472ed537d8ebae755099f7ef
Instruction Fuzzy Hash: 56018471904200AFD710DF16DD46B26FBE8FB88A20F14856AED089B741D735F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00FDAC96 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00FDACE6

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 1f223cb5a796a685e21b83ce8ae1a9ee5b3e0776af94843079b38af3f6ff9759
Instruction ID: e39657deb424f90951edb5367cd9d20f2810481a378c19e1c3066e8f0396a887
Opcode Fuzzy Hash: 1f223cb5a796a685e21b83ce8ae1a9ee5b3e0776af94843079b38af3f6ff9759
Instruction Fuzzy Hash: DD017171904200AFD310DF16DD46B26FBE8FB88A20F14856AED089B741D735F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA7C6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00FDA7F8

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 7612f08182d717385ec2b67651cf14fecfb1813e8e1acc4960843f05c1e9be66
Instruction ID: eb8f77ec142647eee0d020df874a63bc8ca75fb81243685ff718d39709dcfe07
Opcode Fuzzy Hash: 7612f08182d717385ec2b67651cf14fecfb1813e8e1acc4960843f05c1e9be66
Instruction Fuzzy Hash: 3D018F759042408FEB10DF25D985766FBE4EF04320F1CC4ABDD098F352D279A954EAA3

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA5FE Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,?), ref: 00FDA636

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: f2f2a76eee7a317e2d7c937d30151c285d23953f24e4da8f7fe870619d00096a
Instruction ID: 15ccee2a77aabd1b54995aceb755887562bacf8462768127282d76bf38542d0e
Opcode Fuzzy Hash: f2f2a76eee7a317e2d7c937d30151c285d23953f24e4da8f7fe870619d00096a
Instruction Fuzzy Hash: 38015A71805240DFEB20CF65D984B66FBE4EF04320F0CC4AADE498B252D275E418DFA6

Uniqueness

Uniqueness Score: -1.00%

Function 00FDB062 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00FDB094

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: b94308ffc92daaedadbb887adaa724bd3adb0d2e34cb250d8881a7877addc725
Instruction ID: e86e9b7a1381927e9f373b7e6dcd0c710e4bb49a68bf92f7688da726f1aa0a26
Opcode Fuzzy Hash: b94308ffc92daaedadbb887adaa724bd3adb0d2e34cb250d8881a7877addc725
Instruction Fuzzy Hash: 79018175904244DFEB108F15D889B66FBE4EF04320F0DC0ABDD058B752D375A954DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00FDA30C

Memory Dump Source

Source File: 00000000.00000002.1222354244.0000000000FDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fda000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cb6d9896558ce7dacafa5a50949fc4f513f188f7daf74a1a5799eae00ff4b4de
Instruction ID: f2d55e9707b08eb00da08956c99350b361b28d03aff21db204d4a027df78ca0b
Opcode Fuzzy Hash: cb6d9896558ce7dacafa5a50949fc4f513f188f7daf74a1a5799eae00ff4b4de
Instruction Fuzzy Hash: 4DF08135808240CFDB209F05D885761FBE5EF04720F08C09ADD094B356D376A424DAA7

Uniqueness

Uniqueness Score: -1.00%

Function 050B02C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1222943704.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29b2e11512eb846c6cb99c0ab33b5279da282879ab24f7a9318e7482922d2e1b
Instruction ID: c8a23442f0203b5c27e95a5da07fb15adcab6fab9c341656aea664ea2464808f
Opcode Fuzzy Hash: 29b2e11512eb846c6cb99c0ab33b5279da282879ab24f7a9318e7482922d2e1b
Instruction Fuzzy Hash: 60B13D34701124CFC759EB66E99CB9F7BB2FF89354B108624DA069B798EB309D01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 050B0BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1222943704.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3951549c2a164fde3434da0671a0147cbb13ceb12ee3dba0046e95812fb31df2
Instruction ID: be90bf3b7bf6bd5ad1937a40332424f5fa632d8f1292186ab8c919c192826518
Opcode Fuzzy Hash: 3951549c2a164fde3434da0671a0147cbb13ceb12ee3dba0046e95812fb31df2
Instruction Fuzzy Hash: 4111A031B10128AFCB05EBB8D8489DF7BF7BF89214B054575E605E7765EF31A80A8B81

Uniqueness

Uniqueness Score: -1.00%

Function 013F0808 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1222547067.00000000013F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88fd1c1052a4efc6b4d54eaa90f44ec0ed05b9a8e758c8bb4adb93c1caf92ff4
Instruction ID: fd23aa280d05ebb00c9ab36ecdf68161a08df7ef4c9494d2a028e208bf1232af
Opcode Fuzzy Hash: 88fd1c1052a4efc6b4d54eaa90f44ec0ed05b9a8e758c8bb4adb93c1caf92ff4
Instruction Fuzzy Hash: 150184B2809704AFD300DE05ED85D56FBECEF85624F04C46EED484B241D275AA158BE2

Uniqueness

Uniqueness Score: -1.00%

Function 013F05E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1222547067.00000000013F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9726eae4334b46fd9c54a8ffd966a9d9fa451101ad2bfa338ded5717a7c9135a
Instruction ID: e57605bb28f2c99d666792e9981bb466fd405c2707ac79fb284130a0c6ec7ddf
Opcode Fuzzy Hash: 9726eae4334b46fd9c54a8ffd966a9d9fa451101ad2bfa338ded5717a7c9135a
Instruction Fuzzy Hash: 220186B650D7805FD7128F16AC40862FFA8EF86620709C49FEC498B652D236A908C772

Uniqueness

Uniqueness Score: -1.00%

Function 013F082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1222547067.00000000013F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca43b34fc0eaa35aa781c38b1782c3888786dbe2216a64a0ce7fd4dc5ae06290
Instruction ID: 5063f69d14e7add7228bcda7ccba90158d1776652e224aff0d459baa3023b9ca
Opcode Fuzzy Hash: ca43b34fc0eaa35aa781c38b1782c3888786dbe2216a64a0ce7fd4dc5ae06290
Instruction Fuzzy Hash: 1CF082F29092046BD200DF05ED45856F7ECEF84521F14C56AED088B304E27AA9154AE2

Uniqueness

Uniqueness Score: -1.00%

Function 013F0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1222547067.00000000013F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45ced24e658eba5d7ba98dba1fa09c1d2f260c24af2cc8bcaf734f3e58bb32c
Instruction ID: e7d274514db4de29ce6f5cdab991438b696d5dd57fb013f3b0b2340c040ae140
Opcode Fuzzy Hash: c45ced24e658eba5d7ba98dba1fa09c1d2f260c24af2cc8bcaf734f3e58bb32c
Instruction Fuzzy Hash: 44E092B6A086004BD650DF0BFC41452F7D8EB84630718C07FDC0D8B701E27AB504CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 050B0C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1222943704.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c44cf78737163515aacea9c571bf425e4938de3eda3810942cfca79e680ea57c
Instruction ID: 1f4724d6d9c2f6756e6cfe9caba1e24cdee851c3141efe00c5798cf4a3f42691
Opcode Fuzzy Hash: c44cf78737163515aacea9c571bf425e4938de3eda3810942cfca79e680ea57c
Instruction Fuzzy Hash: C7E0DF31F192A41FCB04EBB884441EE7FA6DF8A014B9544BAD109E7752EA348A078380

Uniqueness

Uniqueness Score: -1.00%

Function 050B0C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1222943704.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6c535e5f5776cc5db94e415c683143f531dc757184ec1c65be53f2119ae343
Instruction ID: 17e567e18c3dccd89d9859ce96bc9e0546744a3a4e1f7267b58d321f34789aa3
Opcode Fuzzy Hash: 7d6c535e5f5776cc5db94e415c683143f531dc757184ec1c65be53f2119ae343
Instruction Fuzzy Hash: 36D01731F042282B8B48EAB998445EFBAEA9BC5164B55847A9009E7740EE35990687C8

Uniqueness

Uniqueness Score: -1.00%

Function 050B0DD1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1222943704.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 365d65684fb566a2bb487c61b454fd2872c88d3a7abe584ba147e04d8143f9cf
Instruction ID: 3fbd4878f2c8027cc6f320e857de7e5cbe99428f0eb7806fe012a5e7a59b2567
Opcode Fuzzy Hash: 365d65684fb566a2bb487c61b454fd2872c88d3a7abe584ba147e04d8143f9cf
Instruction Fuzzy Hash: CBE0862024C2904FCB039734947A9DA3FA35F93104F0985D9C4468B6B3D5A5D845DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00FD23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1222334404.0000000000FD2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd2000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb250d22e18280f06fb6b5f577c3d9dcd398a7deab55ecf4f25075e851edf2e7
Instruction ID: 8872a0f84c7619ce7af1b3965325abb55e90fc43ba5a2e94dd55f7af0b48f4f7
Opcode Fuzzy Hash: eb250d22e18280f06fb6b5f577c3d9dcd398a7deab55ecf4f25075e851edf2e7
Instruction Fuzzy Hash: 36D02E7A2096804FE323CA0CC1A4B8537E4AB62724F0A00FAAC008F363C328D880E240

Uniqueness

Uniqueness Score: -1.00%

Function 00FD23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1222334404.0000000000FD2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd2000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5323c066635b7b59422e5182a401836d13867e0e06015bf4e2ec07bba986028c
Instruction ID: acfcf0ac371e0183cf8e0bb8aedeb0816dad9c8c888db285681be8a9a077d72b
Opcode Fuzzy Hash: 5323c066635b7b59422e5182a401836d13867e0e06015bf4e2ec07bba986028c
Instruction Fuzzy Hash: 05D05E346042814BD725DA0CC2D4F5933E5AB90724F0A45E9AC108B362C7A9D8C0DA40

Uniqueness

Uniqueness Score: -1.00%

Function 050B0DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1222943704.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d0a47d7f0b49eb290b03f7a4fa6444c9c07cd3cf00a2da623704067b30eced
Instruction ID: 484a059e5f24c2726c03e590b09b5657531085fdf053dd631c8555e40060841c
Opcode Fuzzy Hash: c2d0a47d7f0b49eb290b03f7a4fa6444c9c07cd3cf00a2da623704067b30eced
Instruction Fuzzy Hash: 19C012303402148BDB05A768E47DEAF73D76BD0304F45C56485190B365DAB0E840C684

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.zip

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\AppxBlockMap.xml

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\AppxManifest.xml

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\AppxMetadata\CodeIntegrity.cat

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\AppxSignature.p7x

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\[Content_Types].xml

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\concrt140_app.dll

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\logo.png

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_1_app.dll

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_2_app.dll

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_app.dll

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_atomic_wait_app.dll

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\msvcp140_codecvt_ids_app.dll

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\vcamp140_app.dll

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\vccorlib140_app.dll

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\vcomp140_app.dll

C:\Users\user\AppData\Local\Temp\t2f21tjr.pdx\vcruntime140_app.dll

C:\Users\user\AppData\Local\Temp\unarchiver.log

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe.zip