Edit tour

Windows Analysis Report
CITY OF PETERBOROUGH - 458869.zip

Overview

General Information

Sample name:	CITY OF PETERBOROUGH - 458869.zip
Analysis ID:	1446724
MD5:	fc0c0b757272fd6c7e685cf7ab572015
SHA1:	7f4154b32f6c5faa1c131d842be0295c63a4731f
SHA256:	42c215003cedebf58ae579314fe5f2776f5f289bf73209fff56fda9d98784c26
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Classification

Process Tree

System is w10x64

unarchiver.exe (PID: 5340 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\CITY OF PETERBOROUGH - 458869.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 6760 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fadbomdn.g5u" "C:\Users\user\Desktop\CITY OF PETERBOROUGH - 458869.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: classification engine

Classification label: clean2.winZIP@4/1@0/0

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\CITY OF PETERBOROUGH - 458869.zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fadbomdn.g5u" "C:\Users\user\Desktop\CITY OF PETERBOROUGH - 458869.zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fadbomdn.g5u" "C:\Users\user\Desktop\CITY OF PETERBOROUGH - 458869.zip"	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 1580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 3050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 5050000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 528			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 9440			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 1164	Thread sleep count: 528 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 1164	Thread sleep time: -264000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 1164	Thread sleep count: 9440 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 1164	Thread sleep time: -4720000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_0107B1D6 GetSystemInfo,

0_2_0107B1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fadbomdn.g5u" "C:\Users\user\Desktop\CITY OF PETERBOROUGH - 458869.zip"

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	2 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446724
Start date and time:	2024-05-23 20:18:47 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CITY OF PETERBOROUGH - 458869.zip
Detection:	CLEAN
Classification:	clean2.winZIP@4/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 46 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .zip Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: CITY OF PETERBOROUGH - 458869.zip

Simulations

Behavior and APIs

Time	Type	Description
14:20:08	API Interceptor	4112349x Sleep call for process: unarchiver.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Download File

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3331
Entropy (8bit):	5.099271797615244
Encrypted:	false
SSDEEP:	48:ZleaWGbAGAGpWGKhGAGp3BGb6GCBG4GWJGAGAGmfGAGhGAGm37L1pfHfHfHfHfHj:ZlqUqEG1AdYOY/
MD5:	1A0C8466EA668D2FCEB93049CC6EFB6E
SHA1:	661194ED030FD57CCC516B25E372075D7CDE375E
SHA-256:	7DF2B5A781C722B0662A8A906368A6D3ECABEA0D56936F75424B4DB095DB6E34
SHA-512:	C0EA6BC4CE194D0840050B0A157683755BBD6D04A28ACEBBA3C102CB31CFD5A0554FE0DE72F6396050CFEDF85D5F9C1EE1CC79A18AF062D01D02E8A548476703
Malicious:	false
Reputation:	low
Preview:	05/23/2024 2:19 PM: Unpack: C:\Users\user\Desktop\CITY OF PETERBOROUGH - 458869.zip..05/23/2024 2:19 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\fadbomdn.g5u..05/23/2024 2:19 PM: Received from standard error: ERROR: Wrong password : CITY OF PETERBOROUGH - 458869.pdf..05/23/2024 2:19 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..05/23/2024 2:19 PM: Received from standard out: ..05/23/2024 2:19 PM: Received from standard out: Scanning the drive for archives:..05/23/2024 2:19 PM: Received from standard out: 1 file, 5475 bytes (6 KiB)..05/23/2024 2:19 PM: Received from standard out: ..05/23/2024 2:19 PM: Received from standard out: Extracting archive: C:\Users\user\Desktop\CITY OF PETERBOROUGH - 458869.zip..05/23/2024 2:19 PM: Received from standard out: --..05/23/2024 2:19 PM: Received from standard out: Path = C:\Users\user\Desktop\CITY OF PETERBOROUGH - 458869.zip..05/23/2024 2:19 PM: Received from standard out: Type = zi

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.958812988271879
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	CITY OF PETERBOROUGH - 458869.zip
File size:	5'475 bytes
MD5:	fc0c0b757272fd6c7e685cf7ab572015
SHA1:	7f4154b32f6c5faa1c131d842be0295c63a4731f
SHA256:	42c215003cedebf58ae579314fe5f2776f5f289bf73209fff56fda9d98784c26
SHA512:	62c8feec2736694e43f3d258ba488403b0de06341cd41c33ad8522c80d24de8ccdd1f2f4e6af2e2b63ef754728cce25b7318aad11ea7297cf08cde3150e820aa
SSDEEP:	96:SKRmuZejd3Mnerr4Tcih/82ejC+1q0YH41dUjt+Y3vvbfYBOVFqXRSCOc:FRmuverU9h/7/+1q0YOUQyvvLnFqXTOc
TLSH:	84B18E85AA80E4B1C38A9CB742CADC24EA4B4A5DB410FFFD834B86C31D4D7598D7993D
File Content Preview:	PK.........h.X........:...!...CITY OF PETERBOROUGH - 458869.pdf.g...M...LXi=..+...Yv#7...oq'avr.e...!m.8......w[......D`8..)..p~qD.9./..`=..\...o.`....;....;/..T.....h.b...E9.8m.s..@...">.....!..D3.D?.v.j....^.)...{v.....0.....#.gh.......M#&.;..b.......#.

File Icon


Icon Hash:	90cececece8e8eb0

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: unarchiver.exePID: 5340, Parent PID: 1028

General

Target ID:	0
Start time:	14:19:33
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\CITY OF PETERBOROUGH - 458869.zip"
Imagebase:	0xa70000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: 7za.exePID: 6760, Parent PID: 5340

General

Target ID:	1
Start time:	14:19:33
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fadbomdn.g5u" "C:\Users\user\Desktop\CITY OF PETERBOROUGH - 458869.zip"
Imagebase:	0x320000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6720, Parent PID: 6760

General

Target ID:	2
Start time:	14:19:33
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: unarchiver.exePID: 5340, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	20%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	73
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0107B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0107B208

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 653a722ad1dd3cbe3aaae67db72746152770aa79c406fd5f513fd8e24a9beee9
Instruction ID: 2ef952e7598bfd09dbcfbeede8ccb14809ee5836768919b2b233cecca8ebb211
Opcode Fuzzy Hash: 653a722ad1dd3cbe3aaae67db72746152770aa79c406fd5f513fd8e24a9beee9
Instruction Fuzzy Hash: 3B01D1719052448FDB50CF19E98976AFBE4EF45320F08C4AADD498F352D379E408CBA2

Function 0107B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0107B2F3

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d1bd5051f0b333e8f8a475a51a8456e0c8a24e9ff884736b3eae4f5da2be8526
Instruction ID: 30641e3f2d9bad18882465df8e5668a263e4d8b9a663e1395ac965fbcf7d2366
Opcode Fuzzy Hash: d1bd5051f0b333e8f8a475a51a8456e0c8a24e9ff884736b3eae4f5da2be8526
Instruction Fuzzy Hash: 8131A171504344AFE7228B65DC44FA7BFBCEF06220F08889AE985DB562D364E9098B71

Function 0107AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0107ADA7

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b82143064e793cdecc0c42ede3b101b7e7d323b6654c751b5a2a188b2027df77
Instruction ID: 54b4b88bdeddbc08433025560f789717c73fe14a3afddd9e5d2f6f9ee79c8fac
Opcode Fuzzy Hash: b82143064e793cdecc0c42ede3b101b7e7d323b6654c751b5a2a188b2027df77
Instruction Fuzzy Hash: CD31A171504344AFEB228B65DC44FA7BFECEF05224F08889AF985DB552D324E849CB71

Function 0107AB76 Relevance: 1.6, APIs: 1, Instructions: 96
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0107AC36

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: dafd869d988bd8581034cefbf9a9da130fa89f653ec7a174361c621ebc6d290c
Instruction ID: c6d121b7532739a34e902bb363f27c0539b22e5230757b4e4fd98d6685f23567
Opcode Fuzzy Hash: dafd869d988bd8581034cefbf9a9da130fa89f653ec7a174361c621ebc6d290c
Instruction Fuzzy Hash: 0931A27150E3C06FD3038B718C65A96BFB4AF47210F1A84CBD8C4DF5A3D269A919C7A2

Function 0107A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0107A67D

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9d080890faa8c59912649ba34496a774849768adc864e903bf93c11bf6dd3560
Instruction ID: 362589a97da9b082961c19d1b148a41901ad6652b52be8b755531513ab3bdfa1
Opcode Fuzzy Hash: 9d080890faa8c59912649ba34496a774849768adc864e903bf93c11bf6dd3560
Instruction Fuzzy Hash: 3E319E71605340AFE722CB65DC44F66BFE8EF49220F08889EE9858B652D375E408CB71

Function 0107A120 Relevance: 1.6, APIs: 1, Instructions: 83
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0107A1C2

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: d41ee2cdb1124a6f31a754194d104495fe95e9f6da17dcdd7a236190ac826e58
Instruction ID: 64d15fd66f39b314870ccd657a3a8179fb53cec18f2acd4c3d442c450efb3ca2
Opcode Fuzzy Hash: d41ee2cdb1124a6f31a754194d104495fe95e9f6da17dcdd7a236190ac826e58
Instruction Fuzzy Hash: 2A21E57150D3C06FD3028B259C51BA6BFB4EF87620F1985CBD884DF693D225A919C7A2

Function 0107AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0107ADA7

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b690c3c80e63ac4271f20ee8da4d11cfa971e70a847201ce96fee4ce22f6e0f0
Instruction ID: 47b1edb364e7f2e603c9dc1466b9b2ee4c2470e7d4dda0e5f409bff6434daec3
Opcode Fuzzy Hash: b690c3c80e63ac4271f20ee8da4d11cfa971e70a847201ce96fee4ce22f6e0f0
Instruction Fuzzy Hash: 3421B272500204AFEB219F55DC44FABFBECEF14224F08886AE9869B651D774E4488BB1

Function 0107B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0107B2F3

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8ab991accea501f896650e88b4d35aa8e9ec8ae097d931427bbc74f0d8793657
Instruction ID: 5398826e88359c23c9f453dd6b8e02157204b1cf9db8dae82f460743957da77d
Opcode Fuzzy Hash: 8ab991accea501f896650e88b4d35aa8e9ec8ae097d931427bbc74f0d8793657
Instruction Fuzzy Hash: E421BD72500204AFEB218F65DC84FABFBECEF14224F04886AE9859B651D774E4488BB5

Function 0107A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,4CA933BE,00000000,00000000,00000000,00000000), ref: 0107A40C

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d3c7ad030f3e7e62d262269f53ce8cfbc66f28bd92ecf8951235c4f838e6f9c8
Instruction ID: 991185fa81815bef7a7b0bfe207a332eb752c5c11c15c8a53663842560fedce7
Opcode Fuzzy Hash: d3c7ad030f3e7e62d262269f53ce8cfbc66f28bd92ecf8951235c4f838e6f9c8
Instruction Fuzzy Hash: BC218B71604344AFE721CF15DC84FA7BBF8EF45620F08849AE985DB292D364E908CB65

Function 0107A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,4CA933BE,00000000,00000000,00000000,00000000), ref: 0107A8DE

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 30128ad9cb14ac0e10980169c75dfd58f2b4637af573175ffc8d8058c2048655
Instruction ID: 9cc2de29810f16ecfd124e3352e7843e75185cbf85cb17ff680bbccd9304e1a7
Opcode Fuzzy Hash: 30128ad9cb14ac0e10980169c75dfd58f2b4637af573175ffc8d8058c2048655
Instruction Fuzzy Hash: 2221C171508380AFE7228B24DC44FA6BFB8EF46724F0884DAE9849B553C274A809CB75

Function 0107A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,4CA933BE,00000000,00000000,00000000,00000000), ref: 0107A9C1

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6c0db08af01670afd1683fb14dd63e0fca7a4530c298d1428693ba4387ae0cbc
Instruction ID: 753a237b145f91a5eab2c197308b6a7f8747461f4a3527e667cb9f528debd8fe
Opcode Fuzzy Hash: 6c0db08af01670afd1683fb14dd63e0fca7a4530c298d1428693ba4387ae0cbc
Instruction Fuzzy Hash: D721A171509380AFDB22CF65DC44F97BFB8EF46214F0884DAE9849B152D375A409CB76

Function 0107A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0107A67D

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 26c76ee3168c0895f55cd07af88578b72896325b00124b3f10501a7792bfb650
Instruction ID: cfcd3e21eafee209b1447b7ed0a70c3ca2f003fe6d9d4773120b719070a12a4d
Opcode Fuzzy Hash: 26c76ee3168c0895f55cd07af88578b72896325b00124b3f10501a7792bfb650
Instruction Fuzzy Hash: 2821AE71A00204AFE721CF65DD85F6AFBE8EF58224F08886DE9858B651D371E408CB75

Function 0107A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,4CA933BE,00000000,00000000,00000000,00000000), ref: 0107A815

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: ce53f7d2a3035a5fb23945123ba38d3dc8a09f07c1ec1cecad7218fa83670e39
Instruction ID: de29d0627c89c60aa1726a64df4016bfd14989e8968779179654e1db47de0848
Opcode Fuzzy Hash: ce53f7d2a3035a5fb23945123ba38d3dc8a09f07c1ec1cecad7218fa83670e39
Instruction Fuzzy Hash: B22105B54083806FE7128B21DC40BA6BFB8EF56324F0880DAE9849B293D264A909C775

Function 0107A6D4 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0107A748

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4b87ebd321c8c809b0064f4f03966e39ce0cb53a4bf73edbe046880cdea0e383
Instruction ID: 34e54a5b84fe5beda20ac9c28658afa10807ebbfe4e14ccd852d6f3405c10609
Opcode Fuzzy Hash: 4b87ebd321c8c809b0064f4f03966e39ce0cb53a4bf73edbe046880cdea0e383
Instruction Fuzzy Hash: 8721A4759093C09FDB138B25DC95752BFB8EF07220F0D84DADD858F6A3D2649909C762

Function 0107AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0107AA8B

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 6675e002695042187c06b56ac031daa9ab4cedf6635852daae676b1f3e32240b
Instruction ID: 29233ad6a2956794eb459a6480cb13403bad9e6f831402b44c00ce1fd205e5ae
Opcode Fuzzy Hash: 6675e002695042187c06b56ac031daa9ab4cedf6635852daae676b1f3e32240b
Instruction Fuzzy Hash: EA2183716093C09FD752CB29DC55B96BFE8AF06324F0D84EAE984CB153D325D909CB61

Function 0107A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,4CA933BE,00000000,00000000,00000000,00000000), ref: 0107A40C

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 57282f6bd57a6cbd20dff62d11d3241e767251d0ce9813bb58cfefbbd2ec348e
Instruction ID: faab512d228a00d556c7310327628e377c3f5cab8a295542c2363b5b0e4ffebb
Opcode Fuzzy Hash: 57282f6bd57a6cbd20dff62d11d3241e767251d0ce9813bb58cfefbbd2ec348e
Instruction Fuzzy Hash: D9219D71A00204AEE760CF15CC84FABB7ECEF54610F08C49AE9859B651D760E809CA75

Function 0107A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,4CA933BE,00000000,00000000,00000000,00000000), ref: 0107A9C1

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3a776c866718afdef37a736d28b5d6aa9e6022451413745e766ee9e5974e2e62
Instruction ID: 7a330079f95223134f2954d829ade11674715e4bf7869e2bf1b52086b48b39e2
Opcode Fuzzy Hash: 3a776c866718afdef37a736d28b5d6aa9e6022451413745e766ee9e5974e2e62
Instruction Fuzzy Hash: 1611EF72A00200EFEB21CF55DC40BABFBE8EF14324F08845AE9459B651D374E418CBB5

Function 0107A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,4CA933BE,00000000,00000000,00000000,00000000), ref: 0107A8DE

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: f59f116dfdda92c262bbe0133afbdac92f69bdb1f2cd89bf92933e87b73b71b1
Instruction ID: 0c89decaa8c176591524ccc0b34805bdf8ccd6f9f66c32dbae860d851f789431
Opcode Fuzzy Hash: f59f116dfdda92c262bbe0133afbdac92f69bdb1f2cd89bf92933e87b73b71b1
Instruction Fuzzy Hash: A011C171A00204EFEB61CF55DC44BAAFBE8EF54724F08C49AED459B641D374E4188BB5

Function 0107A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0107A30C

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 72fcd90d1dd822e617917b7b073bc66c1d6f0f7cdd170caecb0c5818a983e6e1
Instruction ID: 00cbef982677ce2c56722a81da3b83904d14a3bf513186b21e3deab45ff27463
Opcode Fuzzy Hash: 72fcd90d1dd822e617917b7b073bc66c1d6f0f7cdd170caecb0c5818a983e6e1
Instruction Fuzzy Hash: E9118C759093C09FDB228B25DC54A56BFB4EF47220F0984DAED848F263D265A809CB62

Function 0107AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0107AFE4

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: c438394d46472ba83cb3ac43fe601dd2b563de64192d0354c5c6c235fd706204
Instruction ID: eb77865e8499db6c98df3c8be79f3c7bf64fb6180fc4b05f6eac2618b53a4420
Opcode Fuzzy Hash: c438394d46472ba83cb3ac43fe601dd2b563de64192d0354c5c6c235fd706204
Instruction Fuzzy Hash: 6B11A0715093C49FD7128B29DC45B52FFF4EF46220F0984DEED858B263D274A808CB61

Function 0107B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0107B208

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 990106205482aa591cf6a8b1f52ddc5107fabccf620172247b1e2528308d3d0d
Instruction ID: 5e260b896ef382a08d8c363d2345bc3f9c70cd6b9725fdbf84f5575f8a6800ea
Opcode Fuzzy Hash: 990106205482aa591cf6a8b1f52ddc5107fabccf620172247b1e2528308d3d0d
Instruction Fuzzy Hash: DD115E719093849FDB12CF25DC54B56BFB4EF46220F0884DAED858F252D279A908CB62

Function 0107AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0107AA8B

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d2f8d4db91cd015d8a5d6b8fa6b596f139f09e32b59528f6b7fec351369ddf95
Instruction ID: 616fe5b5fb001eb0c726092560a67411f748e175ae91b667ff2637fd0218cc94
Opcode Fuzzy Hash: d2f8d4db91cd015d8a5d6b8fa6b596f139f09e32b59528f6b7fec351369ddf95
Instruction Fuzzy Hash: 54118271B002409FEB50DF19D98475AFBE8EF05220F0CC4AADD45CB242E374E404CB65

Function 0107A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,4CA933BE,00000000,00000000,00000000,00000000), ref: 0107A815

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: aa06979c9a149f62cfc60a63c87ef0da03ca7de3fdc6294f034a60c92addc47d
Instruction ID: 645be106584716c268f80e3ff75ec266c0ccf1255342ee1b2788c1be04fd9875
Opcode Fuzzy Hash: aa06979c9a149f62cfc60a63c87ef0da03ca7de3fdc6294f034a60c92addc47d
Instruction Fuzzy Hash: DE01D671A00244EEE760CF05DC85BABF7E8EF54624F08C09AED459B741D374E4098AB5

Function 0107ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0107AC36

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 1d2397bbfc8861139b90e59e4bbe49c7d77ee7aa9571004af3be722a38cc24b9
Instruction ID: cb28b968f389ff67394a9358b69db1d6da6f74a775493fbdaf033b3fd25db99f
Opcode Fuzzy Hash: 1d2397bbfc8861139b90e59e4bbe49c7d77ee7aa9571004af3be722a38cc24b9
Instruction Fuzzy Hash: 50019E71600200ABD310DF16DC86B66FBE8FB88A20F14851AEC089B741D731F915CBA1

Function 0107A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0107A1C2

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 95733328e974a47d31669bb510dffb594226678b30a19932b391e7431688313a
Instruction ID: 13a82577d302abbdbe2d93dddd0c7518c2ee02e00409409d440cee10e53e8ef4
Opcode Fuzzy Hash: 95733328e974a47d31669bb510dffb594226678b30a19932b391e7431688313a
Instruction Fuzzy Hash: B3017171600600AFD314DF16DC86B66FBE8FB88A20F14855AED089B741D735F915CBE5

Function 0107A716 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0107A748

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9e1a69bd0d2ff328da6739edf8f324c148fea1195580c54fc7a9af6141b35b03
Instruction ID: 9570fa6337cfa5a24063c2d57e7bf935a9951078a1af8c3d9100d9ce851d3a95
Opcode Fuzzy Hash: 9e1a69bd0d2ff328da6739edf8f324c148fea1195580c54fc7a9af6141b35b03
Instruction Fuzzy Hash: 3501DF71A00240CFDB50CF19DD8576AFBE4EF05220F08C4AADC4A8B652D378E408CAA2

Function 0107AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0107AFE4

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: d32615119b3ff470ee03adbf08334907bfe64f7103d200e65c89bfcf8d13d398
Instruction ID: e2b364ca6182598888cba46288f6033f53f45bad76e82ca2896bfe9ac9298bd3
Opcode Fuzzy Hash: d32615119b3ff470ee03adbf08334907bfe64f7103d200e65c89bfcf8d13d398
Instruction Fuzzy Hash: 8001F475A00248CFDB518F19D88576AFBE4EF05320F08C0AADD458B792D375E848DEA2

Function 0107A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0107A30C

Memory Dump Source

Source File: 00000000.00000002.4454397050.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 1e48d41c8893e6dd3dfab41cf7a1501cdcd19f88e4e24b11adb82c4a139452a7
Instruction ID: a4f39f3c21850b3d527cb10c8204c9a2c623c5366809f49a3e8b85754632e821
Opcode Fuzzy Hash: 1e48d41c8893e6dd3dfab41cf7a1501cdcd19f88e4e24b11adb82c4a139452a7
Instruction Fuzzy Hash: 32F0A435A04244CFDB50CF05D88576AFBE4EF45620F0CC09ADD454B752D3B5E418CA66

Function 01040883 Relevance: 1.0, Instructions: 973COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4454359593.0000000001040000.00000040.00000020.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1040000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35fbb7654806c5ccc5b74dc423828a3c1d302bc533d183373e20b77686d58144
Instruction ID: 5ab2dd4415cdeca273126247b84f3a498a2ed7e861c8ce8582ff4a5eee3d34de
Opcode Fuzzy Hash: 35fbb7654806c5ccc5b74dc423828a3c1d302bc533d183373e20b77686d58144
Instruction Fuzzy Hash: 92216DE294E3C04FE30357349D516A5BFB09F53224F1E84EBD984CB663E269494AC7A3

Function 052302C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4455480319.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5230000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1e307198571f318047da498099a2d7e782ef86b82997c2aed93f0312c32e99
Instruction ID: 8ba228a7dc18895e50d4cec957f8c3ffc0acf321d2885cc9c53a7f196e70730e
Opcode Fuzzy Hash: 0a1e307198571f318047da498099a2d7e782ef86b82997c2aed93f0312c32e99
Instruction Fuzzy Hash: 56B15935612301CFC758DF64E859A5F7BAAFF88600B1090B8E946AB356DB3D9C01CFA1

Function 05230799 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4455480319.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5230000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba076df626b7e354e29e4e56034ac060d773681956121492eb2dc95c2cacf834
Instruction ID: 8fae374019770f366d2d60758e3f629f69cb9ce0497740b08f2b4e0e9cba5528
Opcode Fuzzy Hash: ba076df626b7e354e29e4e56034ac060d773681956121492eb2dc95c2cacf834
Instruction Fuzzy Hash: 3FA16B31B002018BDB18ABB4D45976F77A7FFE4708F248069D946AB394DB7D9C428BA1

Function 05230C99 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4455480319.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5230000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d2c249ba64506f41a5bd29d63bad297554925915e5e4384d4612642c39d18c
Instruction ID: f28e26df88739d9e33660c485ed53c2ae1db1d2ee058f0bdad4f6f6ba76cc807
Opcode Fuzzy Hash: a5d2c249ba64506f41a5bd29d63bad297554925915e5e4384d4612642c39d18c
Instruction Fuzzy Hash: E6212671B043854BC716EB3984413AE7AE7AFD6208F4484BCD4C6DB342DF3DA90687A6

Function 05230CA8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4455480319.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5230000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace1dee02072d555ef68fb82ee7dd64f10a58812bc490f37249488d02a0651aa
Instruction ID: ddc5456c875f4a70ac9a74eb2989daa4c1fb993403c6ac108191545ad4cd887d
Opcode Fuzzy Hash: ace1dee02072d555ef68fb82ee7dd64f10a58812bc490f37249488d02a0651aa
Instruction Fuzzy Hash: C321F171B046058BCB14EB3684412AFB7E7AFE5208B44887CD486DB741DF79E9068BA9

Function 05230BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4455480319.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5230000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b99f73a59a7b748e59bde9eb8cf776487f1adc21d2bc598d5025169068b09e
Instruction ID: af66c209b19077fc809c8eefbc6720e95f9337f97aa40c58fba78c11dd115b57
Opcode Fuzzy Hash: 45b99f73a59a7b748e59bde9eb8cf776487f1adc21d2bc598d5025169068b09e
Instruction Fuzzy Hash: D0118F33B10219AFCB44ABB8D84599F7BF6EFC8214B044479E605E7230EB39AC158B80

Function 0104080B Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4454359593.0000000001040000.00000040.00000020.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1040000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c44e760c7306d3cf5cd2d337bf0cb092b2056696fcfc705836c37c240c2413
Instruction ID: c11fdc3f1f1107969b23e90b947ffd9c5db8489d03cf3972ca6b3cd3cfbff57e
Opcode Fuzzy Hash: e1c44e760c7306d3cf5cd2d337bf0cb092b2056696fcfc705836c37c240c2413
Instruction Fuzzy Hash: A4018FB2409644AFD300DB05ED41C57BBFCEF86525F09C86AEC489B711E235A9188BB2

Function 010405E3 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4454359593.0000000001040000.00000040.00000020.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1040000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61cd20f7c72043d11abbe630bf4f839a1adbcb6370297d68fd73496e2e410f8d
Instruction ID: 8c398d8dd8827833a4d1fd35b3d711a379825eff7331a26f9c9252dd726df353
Opcode Fuzzy Hash: 61cd20f7c72043d11abbe630bf4f839a1adbcb6370297d68fd73496e2e410f8d
Instruction Fuzzy Hash: 4BF0A4B65497806FC7118B16EC41853FFF8EF8623070984ABEC498B612D239B919CB72

Function 0104082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4454359593.0000000001040000.00000040.00000020.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1040000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b0d3cfeebc85a512aef53c99f828fae6b58399942ee225aeea299bf3fc4dbf
Instruction ID: cff5fd6e5b2ad61f7e7ea87706a2316a76eb55341c337b2cfb3207f0982fac91
Opcode Fuzzy Hash: 95b0d3cfeebc85a512aef53c99f828fae6b58399942ee225aeea299bf3fc4dbf
Instruction Fuzzy Hash: 5BF082B2845204AB9240DF05ED458A6F7ECEF84521F04C52AEC088B700E276A9198AF2

Function 05230C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4455480319.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5230000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d3b1e37df1b9c855d75b148436a59908dc79d1a1ca87356459376fee92c768
Instruction ID: 945e7b610ce3eba1fea93b780024ded883f60ebd9d570f331adf00d7dcb3764e
Opcode Fuzzy Hash: d4d3b1e37df1b9c855d75b148436a59908dc79d1a1ca87356459376fee92c768
Instruction Fuzzy Hash: 30E0DFB2F1A2541FDB44DAB898115DE7FA1DB82124B8444BAD088DB351EE3A8903C7C0

Function 01040606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4454359593.0000000001040000.00000040.00000020.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1040000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39fffe106b28594656de258750c0f59c2fb98d28ee509671ee988d82f4e2ba70
Instruction ID: a6721e3404031f982c0c8864d6425ffbb47f2b522a638f6ef47a41cfee3503df
Opcode Fuzzy Hash: 39fffe106b28594656de258750c0f59c2fb98d28ee509671ee988d82f4e2ba70
Instruction Fuzzy Hash: 8CE092B66006044B9750CF0BFC41462F7E8EB84630708C47FDC0D8B711E639B508CAA5

Function 05230C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4455480319.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5230000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fcd09898d6b2035922badd83110e77ff2618e1819303126375951805a64bc18
Instruction ID: c3fab226ff1d5ece6e765a6786581726423b1cbf7ab5b65f93cd7c85514f2a80
Opcode Fuzzy Hash: 6fcd09898d6b2035922badd83110e77ff2618e1819303126375951805a64bc18
Instruction Fuzzy Hash: 3BD01272F152182B9B44EAF9984159F7BEA9B84154B9444799009D7350EE35990187C0

Function 05230E08 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4455480319.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5230000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be72a2c248ede8d766c4a2250a3088ce16afb1a113fb92c996aa2a7a2472b191
Instruction ID: 5d5b8bcd10c1ec73a5576068a523462007fba6956137b1eeaca2920de7c2fb89
Opcode Fuzzy Hash: be72a2c248ede8d766c4a2250a3088ce16afb1a113fb92c996aa2a7a2472b191
Instruction Fuzzy Hash: 60E08C3231A3808FC7079778981A5997F719F97214F49C0EA8088CF2B3C239C805CB51

Function 05230DD1 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4455480319.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5230000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32248057d67b69e94ed7e0df120e817dac8b6e33ed3602c35151b227b0ba85c
Instruction ID: 16fbffbc1907759e78323f211b73862c35abeb4e93db0aa3be273ead788831b5
Opcode Fuzzy Hash: a32248057d67b69e94ed7e0df120e817dac8b6e33ed3602c35151b227b0ba85c
Instruction Fuzzy Hash: A4E0122531E3C04FC707577494295A53F726FD2214F4D80EAD4848F263C928D959D791

Function 010723F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4454384697.0000000001072000.00000040.00000800.00020000.00000000.sdmp, Offset: 01072000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1072000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a497fc03ee45d4c0f6f524c8d619b361bb194beb10c463931ae1bb135cfed51
Instruction ID: 895f1f2f0203e10543f69915e78c022d3fc1f776804feece20907c6ccd7cdb00
Opcode Fuzzy Hash: 9a497fc03ee45d4c0f6f524c8d619b361bb194beb10c463931ae1bb135cfed51
Instruction Fuzzy Hash: 09D02E3A2016C08FE3228B0CC1A4B853BE4AB60704F0A00F9A8408B763CB28D4C0C200

Function 010723BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4454384697.0000000001072000.00000040.00000800.00020000.00000000.sdmp, Offset: 01072000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1072000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b39aa3a8564c6af10b7a72cdd958f64c68afeb223b839fdc1220b801aad5661
Instruction ID: 7372b0e142b15ed2aa4b207374dd2dc1de8dc7c44ae8e3cf9060d0138e49596b
Opcode Fuzzy Hash: 9b39aa3a8564c6af10b7a72cdd958f64c68afeb223b839fdc1220b801aad5661
Instruction Fuzzy Hash: 06D05E347016814BD725DA0CC6D4F593BD4AB50B14F0684ECAC508B762C7A8D8C0CA04

Function 05230DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4455480319.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5230000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5592c8e7063ed98c2723ea19d73dd3c831520eec096eb456db8b277463269438
Instruction ID: 8f5262d28668d3e8ebade185865642b2124cf4c91ea121a040ffb3989bacd307
Opcode Fuzzy Hash: 5592c8e7063ed98c2723ea19d73dd3c831520eec096eb456db8b277463269438
Instruction Fuzzy Hash: 29C012313103048BC704A779D41EE26739AAFD0304F89C0B484094B261CA78EC40C694

Function 05230E18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4455480319.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5230000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0bec2983504575f0ac0c2b4bec1347a19de8e87dd68b2b2469d47bef7c39a71
Instruction ID: d7f1e2f935f9ba541258c5931008b11527657665115b8980679317214fc64ec2
Opcode Fuzzy Hash: b0bec2983504575f0ac0c2b4bec1347a19de8e87dd68b2b2469d47bef7c39a71
Instruction Fuzzy Hash: 84C012323103048BC704A778D51EA2A779AAFD4304F88C0B444095B261CA78EC40C654

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CITY OF PETERBOROUGH - 458869.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: unarchiver.exePID: 5340, Parent PID: 1028

General

Chronological Activities

Analysis Process: 7za.exePID: 6760, Parent PID: 5340

General

Chronological Activities

Analysis Process: conhost.exePID: 6720, Parent PID: 6760

General

Chronological Activities

Disassembly

Analysis Process: unarchiver.exePID: 5340, Parent PID: 1028COMMON

Execution Graph

Graph

Callgraph

Executed Functions

Function 0107B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Function 0107B246 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Control-flow Graph

Windows Analysis Report
CITY OF PETERBOROUGH - 458869.zip

Function 0107B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 0107AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0107AB76 Relevance: 1.6, APIs: 1, Instructions: 96
pipeCOMMON

Function 0107A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Function 0107A120 Relevance: 1.6, APIs: 1, Instructions: 83
fileCOMMON

Function 0107AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0107B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0107A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Function 0107A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Function 0107A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Function 0107A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 0107A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Function 0107A6D4 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Function 0107AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 0107A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON