Edit tour

Windows Analysis Report
ScanMaster-ELM v2.1.rar

Overview

General Information

Sample name:	ScanMaster-ELM v2.1.rar
Analysis ID:	1403390
MD5:	c3f7c1ef128cd4b76c08fe50c71301db
SHA1:	b5a5cb4e5e6e220a515f443ed5afe79455adcca3
SHA256:	2cf7cdb20054f65918dc42103a779a4896ab316e22ccdc6b23c872d327480be0
Infos:

Detection

Score:	23
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Creates files with lurking names (e.g. Crack.exe)

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

System is w10x64

unarchiver.exe (PID: 3784 cmdline: C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\ScanMaster-ELM v2.1.rar MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 6128 cmdline: C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\yue0qnrb.3os" "C:\Users\user\Desktop\ScanMaster-ELM v2.1.rar MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 5536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

System Summary

Creates files with lurking names (e.g. Crack.exe)

Source: C:\Windows\SysWOW64\7za.exe

File created: C:\Users\user\AppData\Local\Temp\yue0qnrb.3os\ScanMaster-ELM v2.1\KeyGen.exe

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: classification engine

Classification label: sus23.evad.winRAR@4/1@0/0

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5536:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\ScanMaster-ELM v2.1.rar
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\yue0qnrb.3os" "C:\Users\user\Desktop\ScanMaster-ELM v2.1.rar
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\yue0qnrb.3os" "C:\Users\user\Desktop\ScanMaster-ELM v2.1.rar	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: ScanMaster-ELM v2.1.rar

Static file information: File size 17032684 > 1048576

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_01302CC1 push edi; retf 006Bh

0_2_01302CC2

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 1360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 30D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 1410000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 637			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 9331			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3608	Thread sleep count: 637 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3608	Thread sleep time: -318500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3608	Thread sleep count: 9331 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3608	Thread sleep time: -4665500s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_0130B1D6 GetSystemInfo,

0_2_0130B1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\yue0qnrb.3os" "C:\Users\user\Desktop\ScanMaster-ELM v2.1.rar

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	2 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ScanMaster-ELM v2.1.rar	9%	ReversingLabs	Archive-RAR.Trojan.Generic
ScanMaster-ELM v2.1.rar	5%	Virustotal		Browse

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1403390
Start date and time:	2024-03-05 13:50:46 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ScanMaster-ELM v2.1.rar
Detection:	SUS
Classification:	sus23.evad.winRAR@4/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 45 Number of non-executed functions: 0
Cookbook Comments:	Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:52:07	API Interceptor	4720673x Sleep call for process: unarchiver.exe modified

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3765
Entropy (8bit):	5.05454231401154
Encrypted:	false
SSDEEP:	48:alNtCGRGbRGRGpXGvGRGp3wrwrWGCwGLGDG3iGRGiGKGRGRGmxGRGEGRGmiFL19U:alxa7ozdroLN
MD5:	45270195A23BF6C0C6FFE620347BF562
SHA1:	6BE81201F156AAE2A4870C64CA8D217327BF1B1F
SHA-256:	AB0D0D62AB43219DFD08E7F7F26A0097FF28E051F0CF3AE8752B77BDE2141997
SHA-512:	8B1D06D15994C4F1E0528A6032B18CF14F71194AE8FAC2FA32A4A6EE7B949134A9D4A06175C51D483F2FC3987EBF956FA13FE3798761D58A4463B983505AA7FB
Malicious:	false
Reputation:	low
Preview:	03/05/2024 1:51 PM: Unpack: C:\Users\user\Desktop\ScanMaster-ELM v2.1.rar..03/05/2024 1:51 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\yue0qnrb.3os..03/05/2024 1:51 PM: Received from standard out: ..03/05/2024 1:51 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..03/05/2024 1:51 PM: Received from standard out: ..03/05/2024 1:51 PM: Received from standard out: Scanning the drive for archives:..03/05/2024 1:51 PM: Received from standard out: 1 file, 17032684 bytes (17 MiB)..03/05/2024 1:51 PM: Received from standard out: ..03/05/2024 1:51 PM: Received from standard out: Extracting archive: C:\Users\user\Desktop\ScanMaster-ELM v2.1.rar..03/05/2024 1:51 PM: Received from standard error: ERROR: Data Error in encrypted file. Wrong password? : ScanMaster-ELM v2.1\KeyGen.exe..03/05/2024 1:51 PM: Received from standard error: ERROR: Data Error in encrypted file. Wrong password? : ScanMaster-ELM v2.1\ScanMaster-ELM v2.1.exe..03/05/2024

Static File Info

General

File type:	RAR archive data, v4, os: Win32
Entropy (8bit):	7.999988783726525
TrID:	RAR Archive (5005/1) 83.31% REALbasic Project (1003/3) 16.69%
File name:	ScanMaster-ELM v2.1.rar
File size:	17'032'684 bytes
MD5:	c3f7c1ef128cd4b76c08fe50c71301db
SHA1:	b5a5cb4e5e6e220a515f443ed5afe79455adcca3
SHA256:	2cf7cdb20054f65918dc42103a779a4896ab316e22ccdc6b23c872d327480be0
SHA512:	00a83abe4e5a86b131ef7bbbd13b6fe486081e1f63e361dbbbe5a387a941f5d6be05770b40ec768707523cb54b3839b1694abd8cb56984b31e2ec405e9f79ccd
SSDEEP:	393216:6x0iIGKGSlChicMzZ0tbcrqAMxxtR8ElNiyjEP:svDq8b7/xjzgP
TLSH:	4D0733930B1EBD0A7E932DBE8B2EC34F5FD184488A1FFD1F640455A9C249BBE816650D
File Content Preview:	Rar!.....s..........g.t..F...........4.YE\|:A.3.. ...ScanMaster-ELM v2.1\KeyGen.exeWep..j.RF0...H9n...z&X...o.....D...%.9m.._".+M....&..9....#.NG^..\.nI-.J.s....f...w.qa..Un:..m.i:..g.G.....).....F @.-...77.*7....V^.ql...N-]y4o..H.z..3Q.-.2K.......t7y..\|..

File Icon


Icon Hash:	90cececece8e8eb0

• unarchiver.exe
• 7za.exe
• conhost.exe

Click to jump to process

Memory Usage

• unarchiver.exe
• 7za.exe
• conhost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	13:51:33
Start date:	05/03/2024
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\ScanMaster-ELM v2.1.rar
Imagebase:	0xa20000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	13:51:33
Start date:	05/03/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\yue0qnrb.3os" "C:\Users\user\Desktop\ScanMaster-ELM v2.1.rar
Imagebase:	0x200000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:51:34
Start date:	05/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	18.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	73
Total number of Limit Nodes:	4

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0130B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0130B208

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 2d7502222b8964a93be8913d497a6446ef447f9046d533057353262a404e7797
Instruction ID: 01ad2a8118d59ddb90dfb33db0ffd6e2b3a02521e7cfae27b8c1bb3ab75c50da
Opcode Fuzzy Hash: 2d7502222b8964a93be8913d497a6446ef447f9046d533057353262a404e7797
Instruction Fuzzy Hash: E001F2349002448FDB11CF19D984765FBE8EF01224F08C4AADD088F746D379A404CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0130B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0130B2F3

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a7e2b059075d7cdc315784987d6bc876666c8c3532dfe11a1341afa3d499e598
Instruction ID: 3cb8c3c2dca896958861b208e4c55f3409a87d225cbce97a0aff470d35a4aba7
Opcode Fuzzy Hash: a7e2b059075d7cdc315784987d6bc876666c8c3532dfe11a1341afa3d499e598
Instruction Fuzzy Hash: 0631D471404344AFE7228B65CC44FA7BFBCEF06214F04889AE985CB652D335E919CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0130AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0130ADA7

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6380a704d96c4b760faf04bfdf18bc07938eda98a4c5f5dfa6263293db4a186e
Instruction ID: df22310f298b4be28f73dd5f46b731d3efbb16131774e2c59245a42a85e90fc9
Opcode Fuzzy Hash: 6380a704d96c4b760faf04bfdf18bc07938eda98a4c5f5dfa6263293db4a186e
Instruction Fuzzy Hash: 2131C471104344AFEB228B65DC44FA7BFACEF06214F04489AE985DB652D335A819CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0130AB76 Relevance: 1.6, APIs: 1, Instructions: 92
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0130AC36

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 487016c1386a2da0515fcd15ad8102eb2afd8393f859faffcf43c5a0414b01e4
Instruction ID: c5419c7ae9566f8906b8c17e2a0e5375b38a0b59c934fb3f2318a168471775c1
Opcode Fuzzy Hash: 487016c1386a2da0515fcd15ad8102eb2afd8393f859faffcf43c5a0414b01e4
Instruction Fuzzy Hash: 4931807150E3C05FD3138B358C65A55BFB4AF47210F1A84DBD884DF5A3D2696819C762

Uniqueness

Uniqueness Score: -1.00%

Function 0130A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0130A67D

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a4e22c07477143d8584384dad14fe475daad0e86f0901d118248d892c6556b40
Instruction ID: a1765290dbe57410146e3406edd4315e8ebe0546e35b57f5d8d270ecc33331d4
Opcode Fuzzy Hash: a4e22c07477143d8584384dad14fe475daad0e86f0901d118248d892c6556b40
Instruction Fuzzy Hash: 6A319E71504344AFE722CB25DD44F62BFF8EF45224F0888AEE9858B692D375E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0130A120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0130A1C2

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: e85a183bb2a69fde7bf21794529079a4f0d53864ff9ef46ce56a766bb9796204
Instruction ID: ac3852eaa38947be151b62a0195ef7be1362d53394c2de46482f547ef801bb84
Opcode Fuzzy Hash: e85a183bb2a69fde7bf21794529079a4f0d53864ff9ef46ce56a766bb9796204
Instruction Fuzzy Hash: 3121E07150D3C06FD3128B258C51BA6BFB4EF87610F1984CBD884DF693D235A91ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0130AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0130ADA7

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0d32b12179c388e474a1dc6faf46874445c22ed2644bb123ab7ef5f04fc9590a
Instruction ID: da126c58eb54c299160678ec2ac5ab21d4b420fd8539e87fbabe5d4f86e6e2c3
Opcode Fuzzy Hash: 0d32b12179c388e474a1dc6faf46874445c22ed2644bb123ab7ef5f04fc9590a
Instruction Fuzzy Hash: 8921F772100304AFEB21CF64DD44FABFBECEF04214F04882AE9459BA51D735E4188BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0130A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,4CED4701,00000000,00000000,00000000,00000000), ref: 0130A40C

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5da5552dcac391adde81b37692d42520fdcecc0c2c43dbc1547385cde53ed11b
Instruction ID: c057c955fd8d17963acecc251656b5a7f9dd84ce9d3bd769e02c4b4caaef7361
Opcode Fuzzy Hash: 5da5552dcac391adde81b37692d42520fdcecc0c2c43dbc1547385cde53ed11b
Instruction Fuzzy Hash: 9C217C75504344AFE722CB15DC84FA2BBF8EF05614F08849AE9459B692D374E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0130B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0130B2F3

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c25123cbaec1068504c933ec58842bcca52de87f48b44166dbc6082a70553cc9
Instruction ID: ea9b6996c9fcaa575c7cfd3d038f0768ffa9c49e7e68f38c2fa10cf965244219
Opcode Fuzzy Hash: c25123cbaec1068504c933ec58842bcca52de87f48b44166dbc6082a70553cc9
Instruction Fuzzy Hash: 9121B072500304AFEB22CF65DC44FABFBECEF04224F14886AE9459BA55D375E5188BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0130A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,4CED4701,00000000,00000000,00000000,00000000), ref: 0130A8DE

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0b623f5aa88539afd19068a2f060feac3cf3737ed7429339ee8820f5f2d94f2c
Instruction ID: 33335feff0c04844e4918b7243e912b4aaba3b2527c8fe7979cf013fd4b7c36e
Opcode Fuzzy Hash: 0b623f5aa88539afd19068a2f060feac3cf3737ed7429339ee8820f5f2d94f2c
Instruction Fuzzy Hash: 9C21F4715083806FE7238B14DC40FA2BFB8EF46314F0888EAE9849B653C335A809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0130A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,00000E24,4CED4701,00000000,00000000,00000000,00000000), ref: 0130A9C1

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 51738b5d5baec2f7058a2e704a664f8694d95b0a91b8d3ac86603ff8bbfef442
Instruction ID: b00c0e6240adf37e0cb191e9020775fe2927166045b1e52324a753111a4532a4
Opcode Fuzzy Hash: 51738b5d5baec2f7058a2e704a664f8694d95b0a91b8d3ac86603ff8bbfef442
Instruction Fuzzy Hash: FC21B5715093806FDB22CF55DD44F96BFB8EF06314F08889AE9849F252C375A409CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0130A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0130A67D

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8b6e2daa15ca939fe886e7dcee123b17afd343996d6ad7b71a9d68c415368e9c
Instruction ID: a1387c14903667a6b753c709f7f94fa891e2dc0b397a107ba097030c3b76b6b2
Opcode Fuzzy Hash: 8b6e2daa15ca939fe886e7dcee123b17afd343996d6ad7b71a9d68c415368e9c
Instruction Fuzzy Hash: 18219C71600308AFEB22CF29DD45B66FBE8EF48224F088869E9458B791D375E418CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0130A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,4CED4701,00000000,00000000,00000000,00000000), ref: 0130A815

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: cad60ca0350f7859a83ea019eae451fe2ca62e8dff407be69d5137b3150598fa
Instruction ID: dbb27f3e2de6eb5d76ad599ddc130dde430aa8ca73a6f92c2ee12b5d057c2b44
Opcode Fuzzy Hash: cad60ca0350f7859a83ea019eae451fe2ca62e8dff407be69d5137b3150598fa
Instruction Fuzzy Hash: 3221D8B54093806FE7238B15DC40BA2BFB8DF47314F0884DAE9849B693D374A909C775

Uniqueness

Uniqueness Score: -1.00%

Function 0130AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0130AA8B

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 6b8069211cb47cab71a3bcfbd0988396ea63c4e562837b8908c6a0e0914f3cea
Instruction ID: 848b7689070543763b6114737e7087e9093270ef890f8afb7df419e8cae9d77c
Opcode Fuzzy Hash: 6b8069211cb47cab71a3bcfbd0988396ea63c4e562837b8908c6a0e0914f3cea
Instruction Fuzzy Hash: 6D21B0715083C05FEB12CB29DC55B92BFE8AF06314F0D84EAE984CB193D325E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0130A6D4 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0130A748

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: efaac6f92a944eb2652b595abf89284aea66f59538be2671efaa8996e5e69889
Instruction ID: 3047f5157d801cd63d8dcbc94fc3e04cbd1d87f8a50d6e4233c88f5f565e280d
Opcode Fuzzy Hash: efaac6f92a944eb2652b595abf89284aea66f59538be2671efaa8996e5e69889
Instruction Fuzzy Hash: 162104B55093C05FDB138B24DC91652BFB8EF07324F0984DADC818F2A3D2759909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0130A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,4CED4701,00000000,00000000,00000000,00000000), ref: 0130A40C

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bc2a9586616746b5d95679066e6b49bc786df5517a47b82aecc62acf8d012efc
Instruction ID: 53eb9df417607c8c2ff94cf4438b685cfef1eab4012441cbdd24499f78fc2c66
Opcode Fuzzy Hash: bc2a9586616746b5d95679066e6b49bc786df5517a47b82aecc62acf8d012efc
Instruction Fuzzy Hash: 52218E756003049FE722CE19DD84FA6B7ECEF04614F04846AE9459B791D774E909CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0130A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,4CED4701,00000000,00000000,00000000,00000000), ref: 0130A9C1

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b6960a330451be8039593b5b0c5bf49f471ce813b2ae8c3af2db90c16694b4ce
Instruction ID: 5269f4086bbaa748712791aaf5a67cd1e4d8be7a17b1bd4dd22bc8d97ba1d6ba
Opcode Fuzzy Hash: b6960a330451be8039593b5b0c5bf49f471ce813b2ae8c3af2db90c16694b4ce
Instruction Fuzzy Hash: 8911C471500304AFEB22CF59DD84FA6FBE8EF44328F04886AE9459B691D375A458CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0130A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,4CED4701,00000000,00000000,00000000,00000000), ref: 0130A8DE

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 6b2068ec2fa50b6730b56beef52557eb7847650ddf4e8270a75c2c1807b4d6f9
Instruction ID: 4ecec1d116c92519dc69cee1f0967ec361269e45315a6a8d33f49510f3de11a1
Opcode Fuzzy Hash: 6b2068ec2fa50b6730b56beef52557eb7847650ddf4e8270a75c2c1807b4d6f9
Instruction Fuzzy Hash: B711E372500304AFEB22CF58DD84BA6FBE8EF44324F04C86AED459B681D375A5198BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0130A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0130A30C

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 337be652d01f6876e974d8e523ec8e7548ea722eb58859c0546aa19fb1994956
Instruction ID: f0e756c1346d76e67f6b42e296e759e165cfa6867d9efd5f814dc7148584a636
Opcode Fuzzy Hash: 337be652d01f6876e974d8e523ec8e7548ea722eb58859c0546aa19fb1994956
Instruction Fuzzy Hash: 051191754093C09FDB238B25DC94A52BFB4DF07224F0984DBD9848F2A3D265A809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0130B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0130B208

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 7a479117db026fe0961879083102e5ba19b4eaaf4b57ccbabe6d43e9f557fab5
Instruction ID: bc9a7dc9f746e6a3a19af5ca51648d9d38b3253ea93172d7775de22fa8980687
Opcode Fuzzy Hash: 7a479117db026fe0961879083102e5ba19b4eaaf4b57ccbabe6d43e9f557fab5
Instruction Fuzzy Hash: 3511A0715093809FCB12CF15DC94B56FFB4DF46224F0884DAED848F253D275A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0130AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0130AFE4

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 4adfde073635f4b5a964ded70fbadd8a77dc7ffc0d4bdaa0fc53d528706e8ece
Instruction ID: a8e473bdf0e0d9416e707306cda0e4a4711ba144d3b181533dfa3ba35f9c3347
Opcode Fuzzy Hash: 4adfde073635f4b5a964ded70fbadd8a77dc7ffc0d4bdaa0fc53d528706e8ece
Instruction Fuzzy Hash: 721191755093809FD7128B29DC85A52FFF4EF06220F0984DAD9858B263D375A858DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0130A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,4CED4701,00000000,00000000,00000000,00000000), ref: 0130A815

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 0f5888c75e4713ae2dadc69cc7a237bd416651db268bf3ec50758060648d6255
Instruction ID: da8159362f635edcb271a427a72ab6c073a5185f8f7beeb02e9c4a0b989d6285
Opcode Fuzzy Hash: 0f5888c75e4713ae2dadc69cc7a237bd416651db268bf3ec50758060648d6255
Instruction Fuzzy Hash: BB01D671500304AEE721CB09DD85BA6FFECDF45624F04C46AED059BB81D378A9098AB5

Uniqueness

Uniqueness Score: -1.00%

Function 0130AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0130AA8B

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 35520484d44fb8076a85e64b05b7199d5c1bf5f0f0a2c373b941a8575f0c317d
Instruction ID: b622f80aec7fe0ec2fea306df3aedc02352fbfeb545bbd97c0d03139261ce317
Opcode Fuzzy Hash: 35520484d44fb8076a85e64b05b7199d5c1bf5f0f0a2c373b941a8575f0c317d
Instruction Fuzzy Hash: 5D11A1716003449FEB11CF29E984B56FBE8EF04224F08C4AADD09CB6C2E375E444CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0130A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0130A1C2

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 47a7782ad216c898c4101a668583696bb0d5db2a5a26e4178b50461a455e420b
Instruction ID: 2690c62564be9608c0c8daf993f0f201f7bfeb10da13480135dcd0bed30e77e3
Opcode Fuzzy Hash: 47a7782ad216c898c4101a668583696bb0d5db2a5a26e4178b50461a455e420b
Instruction Fuzzy Hash: 9501B171600201AFD310DF1ACD45B66FBE8EB88A20F14856AEC089BB41D731F915CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0130ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0130AC36

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 95e83da50bbd599a71648fb82d07f41050c3902a724b6212a4d4e03b55f2a15d
Instruction ID: 5c6a973a3da4e94a7a693e4beeb2ee263975483a0fafe9e3e82ca6f2e8505956
Opcode Fuzzy Hash: 95e83da50bbd599a71648fb82d07f41050c3902a724b6212a4d4e03b55f2a15d
Instruction Fuzzy Hash: 3B019E71600201AFD210DF1ACD45B66FBA8EB88A20F14852AEC089BB41D731F915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0130A716 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0130A748

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f84e315003c82566e41a0aade410efd6cf790e427690f7f35dd0a4afea4d9d21
Instruction ID: 33612a19bd8ea2b32fafdbb4dde0ae113aabbe79e87f5f40cff9f0442d26a9a9
Opcode Fuzzy Hash: f84e315003c82566e41a0aade410efd6cf790e427690f7f35dd0a4afea4d9d21
Instruction Fuzzy Hash: 6F01D4716003448FDB11CF59E984755FBE4DF00624F08C4AADC068B682D379E414CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0130AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0130AFE4

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 63809895111e8eaebd20bea7fbc22aeaf5d657c554062f0babcbce4f4a6b0061
Instruction ID: 28eddeba2c6d4a4a937120c07c55a9f64b4975e82560b77330a528557114c10b
Opcode Fuzzy Hash: 63809895111e8eaebd20bea7fbc22aeaf5d657c554062f0babcbce4f4a6b0061
Instruction Fuzzy Hash: 4101D1756003448FDB22CF19D884762FBE4EF04224F08C4AEDD058BB96D379E858DEA2

Uniqueness

Uniqueness Score: -1.00%

Function 0130A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0130A30C

Memory Dump Source

Source File: 00000000.00000002.4467335277.000000000130A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a015b6272b476dee29b38436727b0f308c6b28ac2e1eb12f974dcb1f07be8ae0
Instruction ID: 972bb92c8b8ffa38911e6b9005908247924c03e5552db08db00f40d8a7330728
Opcode Fuzzy Hash: a015b6272b476dee29b38436727b0f308c6b28ac2e1eb12f974dcb1f07be8ae0
Instruction Fuzzy Hash: C6F0AF355043449FDB21CF09E985761FBE4EF44624F08C0EADD494B796D3B9A418CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 014B02C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4467556704.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfe99075f63d349d7c5e3966642d2d41e2ea4d7ed94f2bc1baac12fe7fd658db
Instruction ID: edc8294c3bf0ea035cb302849145ec741affb8aad5a9572da6df9f1767db13a2
Opcode Fuzzy Hash: dfe99075f63d349d7c5e3966642d2d41e2ea4d7ed94f2bc1baac12fe7fd658db
Instruction Fuzzy Hash: 94B10B34602210CFCB24DF64E998A5A7BF6FF88351B60817DE906AB355DB3D9C05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014B0799 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4467556704.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c10aab82fc858c3b1216e288b47ddcdcc4338f775a163a2a3fd745b2294acc
Instruction ID: d22f1b90231721f10d3db9e89943158ef7b1bff6acfc4b49e8f0df886d0dc296
Opcode Fuzzy Hash: e0c10aab82fc858c3b1216e288b47ddcdcc4338f775a163a2a3fd745b2294acc
Instruction Fuzzy Hash: EBA18B34B012048BDB259FB8C5557AE77F6FBC8308F208439E906A7394DB7C9C068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 014B0C99 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4467556704.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb64249e71fa5419a715ef273e1eac007d217ae07b62e58b4d4cf945c305e40
Instruction ID: d12f6104a9106bc8555a2116fbd5d3bbc395d2a8157b33d48b0c2b0c7bad2d41
Opcode Fuzzy Hash: ebb64249e71fa5419a715ef273e1eac007d217ae07b62e58b4d4cf945c305e40
Instruction Fuzzy Hash: 4D21F830B002548FD726DB3984516AF7AE69FCA208B44843CD446DB394DB7E9D0687A1

Uniqueness

Uniqueness Score: -1.00%

Function 014B0CA8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4467556704.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc716b99284399410e82ae33335bed8a92a8fde42582af21ad77e0b1751c345
Instruction ID: 302d42ae1bbc40a07899e73ef06042259b110c070a63d35afebe684594b96d83
Opcode Fuzzy Hash: acc716b99284399410e82ae33335bed8a92a8fde42582af21ad77e0b1751c345
Instruction Fuzzy Hash: 2521B130B006148BDB25EB3985516AFB6E7AFC9208B44882DD446DB384DF7DAD0687A1

Uniqueness

Uniqueness Score: -1.00%

Function 014B0BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4467556704.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a05b91d22ae0cf4c8103c335714065e62adb2e0c22cd057be7030cf1ff5
Instruction ID: 5cd5646a635bcb4303a965cbcafd8a44f02b43d2708c9e3f68140f954880bb81
Opcode Fuzzy Hash: 48042a05b91d22ae0cf4c8103c335714065e62adb2e0c22cd057be7030cf1ff5
Instruction Fuzzy Hash: E5119E36A10118AFCB049FB8D84599E7BF6FFCC214B148179E605E7224EB39AC198BD0

Uniqueness

Uniqueness Score: -1.00%

Function 01370808 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4467469804.0000000001370000.00000040.00000020.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a41a22e15894061b437658a84c5407ee8e839a772517b75dd679296390f1607
Instruction ID: 1de629d68f7a56c9965beff59eacfe9dc64523d6b8ce71abf545fcf54d083a1c
Opcode Fuzzy Hash: 7a41a22e15894061b437658a84c5407ee8e839a772517b75dd679296390f1607
Instruction Fuzzy Hash: DD0175B2409744AFD301DB15EC41C57FBF8DF96524B09C4AAE8488B641D235A919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 013705E1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4467469804.0000000001370000.00000040.00000020.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6540c8133dab95d8cfca9e891e3e0e4a7969d09bb23f7f9b8d2ad3f4d92d44
Instruction ID: 962e516baf4f42f8b98bdd070c895f539138daffa705cebbbbad7458e392ed85
Opcode Fuzzy Hash: db6540c8133dab95d8cfca9e891e3e0e4a7969d09bb23f7f9b8d2ad3f4d92d44
Instruction Fuzzy Hash: 2C01D6B65097806FC7128B16AC40862FFB8DF86520709C4AFEC898B652D225A809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0137082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4467469804.0000000001370000.00000040.00000020.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 193067bd4704a02b0ff197aa23ef8187bfd558dd8c86ae765a54be71c7cf63ab
Instruction ID: 4123e6c1106822666be705ad6b503e126616af6fd98bb134a29dfcdf0ad594f3
Opcode Fuzzy Hash: 193067bd4704a02b0ff197aa23ef8187bfd558dd8c86ae765a54be71c7cf63ab
Instruction Fuzzy Hash: A6F082B2805204AB9300DF09ED85856F7ECEF94521F14C56AEC088B700E376A9198AE2

Uniqueness

Uniqueness Score: -1.00%

Function 01370606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4467469804.0000000001370000.00000040.00000020.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79166a295b49658c01f0fe5e2330b9460563149b0753014f04770403ba10ddd1
Instruction ID: 1339a5c30f902c2673114bcece9bf29818a941ee8dc5c6d4c9d214779ad79244
Opcode Fuzzy Hash: 79166a295b49658c01f0fe5e2330b9460563149b0753014f04770403ba10ddd1
Instruction Fuzzy Hash: 11E092BA6006004B9650CF0AEC81452F7E8EB84630718C47FDC0D8BB01E276B509CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 014B0C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4467556704.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08306d244790a05a676a0b92e65bd7994d3e28ebed9c0ecce5d9017179b19f0
Instruction ID: 5e0329c92dd1b1ca4c1ee82df0b18e9e016fd69cd809f40174405c64c9632e43
Opcode Fuzzy Hash: a08306d244790a05a676a0b92e65bd7994d3e28ebed9c0ecce5d9017179b19f0
Instruction Fuzzy Hash: BAE04F71F252542FCB48EEB9984159E7FE5DB89264FA444BD9009D7340EA3989038B81

Uniqueness

Uniqueness Score: -1.00%

Function 014B0C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4467556704.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256fca17dfcae217f94a9b6ed9a050b2a6fd79afb0fc470ae7e292dcf391aa76
Instruction ID: 2af02f387733a0156833442286e15f133c7895bfdedecdc183a9b08ee625824a
Opcode Fuzzy Hash: 256fca17dfcae217f94a9b6ed9a050b2a6fd79afb0fc470ae7e292dcf391aa76
Instruction Fuzzy Hash: 37D01271F142182B8B58EEF9984159E7AEA9B84164BA4447D9009D7340EE3999018780

Uniqueness

Uniqueness Score: -1.00%

Function 014B0DD1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4467556704.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378726b6ce2f6c8f1407824a726ca8cb3c6339b8303ae0f713b13f02025716fb
Instruction ID: 52b0b708b586a7a23b0767ddfe164ea0ad0673a491e27bef4628c082caafeec4
Opcode Fuzzy Hash: 378726b6ce2f6c8f1407824a726ca8cb3c6339b8303ae0f713b13f02025716fb
Instruction Fuzzy Hash: D1E086341493808FCB078B74D4555963FB16FA2214F5580EED805CF672D67DC846C750

Uniqueness

Uniqueness Score: -1.00%

Function 014B0E08 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4467556704.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fa9911b5a897f430ddadf5fe0e31f36b5eb1bdeeaa06a31981884dd1b2bea69
Instruction ID: bedddbe18dc5690b3a9619f862a69c7590855fe2b81703c01c554535da327c95
Opcode Fuzzy Hash: 8fa9911b5a897f430ddadf5fe0e31f36b5eb1bdeeaa06a31981884dd1b2bea69
Instruction Fuzzy Hash: 50E0C23421A3808FC7064B7498155D93FB06B9A215F4881EAC8848B372C63DC802C760

Uniqueness

Uniqueness Score: -1.00%

Function 013023F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4467321872.0000000001302000.00000040.00000800.00020000.00000000.sdmp, Offset: 01302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1302000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9931fcbacfb1afafd5f19a7ed88f57becd36b9c1f5e0328b1409ce4c6c5eccdd
Instruction ID: a5b6658479627ad4689568869a7fb538148178aeb8d1bfb5bfb58322d750c1f7
Opcode Fuzzy Hash: 9931fcbacfb1afafd5f19a7ed88f57becd36b9c1f5e0328b1409ce4c6c5eccdd
Instruction Fuzzy Hash: 04D05E792056D14FE3279B1CC6A8B9A3BE4AB51718F4B44F9AC00CB7A3C768D581D610

Uniqueness

Uniqueness Score: -1.00%

Function 013023BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4467321872.0000000001302000.00000040.00000800.00020000.00000000.sdmp, Offset: 01302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1302000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d98e04acd375a3322aaf124159fdc9bd338a24bbc14ed720ee29ae8a860fcd37
Instruction ID: 44aa473a44ba6cc888f69aadf252808333e9cf815d2b0ab2f7a2b5b7e4b5ee3d
Opcode Fuzzy Hash: d98e04acd375a3322aaf124159fdc9bd338a24bbc14ed720ee29ae8a860fcd37
Instruction Fuzzy Hash: 38D05E342002814BDB26DA0CD2E8F5A3BD8AB40718F0644E8AC108B7A2C7B9D8C0DA00

Uniqueness

Uniqueness Score: -1.00%

Function 014B0DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4467556704.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6001d9ea7a0cda969ea84df60152e1816840dc6ca5fc17eedc27ef334974987d
Instruction ID: 0c90c8b15eef757f04cdddc3d280482bea9a4e1be1727bad49202af65e80e3b3
Opcode Fuzzy Hash: 6001d9ea7a0cda969ea84df60152e1816840dc6ca5fc17eedc27ef334974987d
Instruction Fuzzy Hash: 82C012302002048BD7049BB8D459A6777A657E4215F85C17995085B361DA7CEC40C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 014B0E18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4467556704.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a33b70bb3d9ad4a9ed00e0e5e68ec188acc05de62f6754dba7e8e25f5ddd2b6
Instruction ID: 89ca9c3737dd6541b995c4d812112c634e44bc582971582d1cee31e02f6b1f60
Opcode Fuzzy Hash: 9a33b70bb3d9ad4a9ed00e0e5e68ec188acc05de62f6754dba7e8e25f5ddd2b6
Instruction Fuzzy Hash: A5C012312002048BC7049BB8D559A6A77A557E8205F84C17959085B361CA7CEC41C694

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ScanMaster-ELM v2.1.rar

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: unarchiver.exePID: 3784, Parent PID: 1028

General

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Other File Operations

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Sections loaded by Program

Registry Activities

Key Opened

Windows Analysis Report
ScanMaster-ELM v2.1.rar