Edit tour

Windows Analysis Report
Aseprite1.3.7.x64.b.taiwebs.com.zip

Overview

General Information

Sample name:	Aseprite1.3.7.x64.b.taiwebs.com.zip
Analysis ID:	1451753
MD5:	04b135e04c4066a536973fcda8cc6c3a
SHA1:	6f5ff4b3de23f5bff6356cee2038a4177b870e6e
SHA256:	8dab14808c3a1ffdb75ddfdb935de86663b37a1162f6ee1d9fe8ec4b29a157ec
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Classification

Process Tree

System is w10x64

unarchiver.exe (PID: 7780 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Aseprite1.3.7.x64.b.taiwebs.com.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 7836 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\okinegs4.fzk" "C:\Users\user\Desktop\Aseprite1.3.7.x64.b.taiwebs.com.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

• Compliance
• System Summary
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\7za.exe

File created: C:\Users\user\AppData\Local\Temp\okinegs4.fzk\Aseprite 1.3.7 (x64)\Readme.txt

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: classification engine

Classification label: clean2.winZIP@4/1@0/0

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Aseprite1.3.7.x64.b.taiwebs.com.zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\okinegs4.fzk" "C:\Users\user\Desktop\Aseprite1.3.7.x64.b.taiwebs.com.zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\okinegs4.fzk" "C:\Users\user\Desktop\Aseprite1.3.7.x64.b.taiwebs.com.zip"	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: Aseprite1.3.7.x64.b.taiwebs.com.zip

Static file information: File size 12745856 > 1048576

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\7za.exe

File created: C:\Users\user\AppData\Local\Temp\okinegs4.fzk\Aseprite 1.3.7 (x64)\Readme.txt

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 2840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 4840000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 543			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 9426			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 7900	Thread sleep count: 543 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 7900	Thread sleep time: -271500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 7900	Thread sleep count: 9426 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 7900	Thread sleep time: -4713000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_0082B1D6 GetSystemInfo,

0_2_0082B1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\okinegs4.fzk" "C:\Users\user\Desktop\Aseprite1.3.7.x64.b.taiwebs.com.zip"

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	2 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Aseprite1.3.7.x64.b.taiwebs.com.zip	0%	ReversingLabs
Aseprite1.3.7.x64.b.taiwebs.com.zip	0%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1451753
Start date and time:	2024-06-04 15:17:53 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Aseprite1.3.7.x64.b.taiwebs.com.zip
Detection:	CLEAN
Classification:	clean2.winZIP@4/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 46 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .zip Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:19:17	API Interceptor	4261807x Sleep call for process: unarchiver.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Download File

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3784
Entropy (8bit):	5.04439616666233
Encrypted:	false
SSDEEP:	48:h+wZuGDGbDGDGphGCGDGpkRGbtGPRGrGoGlG+GDGDGDGDG0GkGDGDGm6+GDGqGDc:onpBOZ8Hkk
MD5:	A9ADE9FFE43812664253ED4230FCAB73
SHA1:	FAF449BEC358A3C714EC2C8F7885DF98D2E9AED4
SHA-256:	4D2BA4A8FE47F9718B3FCC0D6BF1C0138098BA3F919EC4BDCC23075247D92AF8
SHA-512:	D3821CA588E03308E3B10A01B7A2484B93714D721688FE6582C8FC9FB400764D310A7273308365F09476BAD9B244BE66828858AB9E3866EDB19B161584909ADB
Malicious:	false
Reputation:	low
Preview:	06/04/2024 9:18 AM: Unpack: C:\Users\user\Desktop\Aseprite1.3.7.x64.b.taiwebs.com.zip..06/04/2024 9:18 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\okinegs4.fzk..06/04/2024 9:18 AM: Received from standard out: ..06/04/2024 9:18 AM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..06/04/2024 9:18 AM: Received from standard out: ..06/04/2024 9:18 AM: Received from standard out: Scanning the drive for archives:..06/04/2024 9:18 AM: Received from standard out: 1 file, 12745856 bytes (13 MiB)..06/04/2024 9:18 AM: Received from standard out: ..06/04/2024 9:18 AM: Received from standard out: Extracting archive: C:\Users\user\Desktop\Aseprite1.3.7.x64.b.taiwebs.com.zip..06/04/2024 9:18 AM: Received from standard out: --..06/04/2024 9:18 AM: Received from standard out: Path = C:\Users\user\Desktop\Aseprite1.3.7.x64.b.taiwebs.com.zip..06/04/2024 9:18 AM: Received from standard out: Type = zip..06/04/2024 9:18 AM: Received from standard out: Physi

Static File Info

General

File type:	Zip archive data, at least v1.0 to extract, compression method=store
Entropy (8bit):	7.999985971213235
TrID:	ZIP compressed archive (8000/1) 99.91% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
File name:	Aseprite1.3.7.x64.b.taiwebs.com.zip
File size:	12'745'856 bytes
MD5:	04b135e04c4066a536973fcda8cc6c3a
SHA1:	6f5ff4b3de23f5bff6356cee2038a4177b870e6e
SHA256:	8dab14808c3a1ffdb75ddfdb935de86663b37a1162f6ee1d9fe8ec4b29a157ec
SHA512:	73fa9d142a4b5a8a73971551b47b89af5cd2dc6a5d481888d3d1577755320bca3be6d031641c98bbfc5d0ebc3e56e48c19bcc0d97bd62bb93b75571230544c2b
SSDEEP:	393216:h2fYACzKwVT7kZD87SWABXFJBOkcsv3ujR:hi3wT7kZD87SWGV/csvujR
TLSH:	43D6338B404C35912C8C96BEA995D98F671BF1C0558D3FA48AF321743A1183ED78F7AE
File Content Preview:	PK........w..X................Aseprite 1.3.7 (x64)/PK......c.eY.XG....z......(...Aseprite 1.3.7 (x64)/Aseprite-v1.3.7.exe......AE............K..../..&amw.p&q...oV8d....hvw.DF..Y\c=..c..a.x..>...2...R..Q....:. ;.&./...k. .I.x,J...k.L..x....!..../6y..'.....

File Icon


Icon Hash:	90cececece8e8eb0

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• unarchiver.exe
• 7za.exe
• conhost.exe

Click to jump to process

Memory Usage

• unarchiver.exe
• 7za.exe
• conhost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

System Behavior

Analysis Process: unarchiver.exePID: 7780, Parent PID: 3504

Function Logs

General

Target ID:	0
Start time:	09:18:44
Start date:	04/06/2024
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Aseprite1.3.7.x64.b.taiwebs.com.zip"
Imagebase:	0x230000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Value Enumerated

Key Enumerated

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Created

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Chronological Activities

Analysis Process: 7za.exePID: 7836, Parent PID: 7780

Function Logs

General

Target ID:	2
Start time:	09:18:45
Start date:	04/06/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\okinegs4.fzk" "C:\Users\user\Desktop\Aseprite1.3.7.x64.b.taiwebs.com.zip"
Imagebase:	0x4a0000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Created

File Read

File Attributes Queried

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Process Token Activities

Token Adjusted

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7848, Parent PID: 7836

Function Logs

General

Target ID:	3
Start time:	09:18:45
Start date:	04/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

File Attributes Queried

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: unarchiver.exePID: 7780, Parent PID: 3504COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	21.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	73
Total number of Limit Nodes:	4

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0082B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0082B208

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 818b027602693ef5a996a2eba4e714a19a5089923e5b314c96810b7ece4df32f
Instruction ID: 55ae4d56f69a646084e280fa9aad04cad03bd6eae042cd060b4c09c0546a5781
Opcode Fuzzy Hash: 818b027602693ef5a996a2eba4e714a19a5089923e5b314c96810b7ece4df32f
Instruction Fuzzy Hash: BB01A271801344CFDB10CF15E885766FBE4EF05324F08C4AADD598F652D379A484CBA1

Function 049F0C99 Relevance: 3.8, Strings: 3, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`k, xrefs: 049F0D62
Pk, xrefs: 049F0CC8
`k, xrefs: 049F0D37

Memory Dump Source

Source File: 00000000.00000002.3811116667.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49f0000_unarchiver.jbxd

Similarity

API ID:
String ID: Pk$`k$`k
API String ID: 0-3919591665
Opcode ID: 1711d468ed0d2fa650e0cda03c40118bdedc35ad8726a59a0f178ac459e88014
Instruction ID: b6048041409cdf7c2fb79f4a91b5fb4530381fbc408a7c648cf6e628f85b58d4
Opcode Fuzzy Hash: 1711d468ed0d2fa650e0cda03c40118bdedc35ad8726a59a0f178ac459e88014
Instruction Fuzzy Hash: 852105347006148FCB15EA3998512AF7BD7AFD9208B44843CD849DB746DF39E90A8792

Function 049F0CA8 Relevance: 3.8, Strings: 3, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`k, xrefs: 049F0D62
Pk, xrefs: 049F0CC8
`k, xrefs: 049F0D37

Memory Dump Source

Source File: 00000000.00000002.3811116667.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49f0000_unarchiver.jbxd

Similarity

API ID:
String ID: Pk$`k$`k
API String ID: 0-3919591665
Opcode ID: 09ad2ba5ed0b70b3856bdd8f83f94947aeded705528246730549daf43ddc337d
Instruction ID: 0991d1b93fce13be3cac9ffef8437f054353c29b1766351c3feff920798e9c83
Opcode Fuzzy Hash: 09ad2ba5ed0b70b3856bdd8f83f94947aeded705528246730549daf43ddc337d
Instruction Fuzzy Hash: A321F3307006148BC714EB3988112AFBBD7AFC9608B44883CD446DB745EF79F90687A2

Function 0082B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0082B2F3

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3f65bc675cbee918583226c2fb4e18e079271d9e322f5392d07a918d8d6bc787
Instruction ID: c7b19206985bff060d2908039a9ac3b3c65df950dda08ba69897b48494ce2000
Opcode Fuzzy Hash: 3f65bc675cbee918583226c2fb4e18e079271d9e322f5392d07a918d8d6bc787
Instruction Fuzzy Hash: 12318371404344AFE7228B61DC45FA7BFFCEF06324F04889AE985CB662D324A949CB71

Function 0082AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0082ADA7

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dfa2b1f60f811fc7b9fe1d2e170d567ac1cad5ea2f5dcebe1e591471264310d9
Instruction ID: aedcba9c8f0b5edccf7b6791ad73014816869741c8996303bdc154af36038181
Opcode Fuzzy Hash: dfa2b1f60f811fc7b9fe1d2e170d567ac1cad5ea2f5dcebe1e591471264310d9
Instruction Fuzzy Hash: 56319571404384AFE7228F65DC44FA7BFECEF05214F04889AF985CB562D224A459CB71

Function 0082AB76 Relevance: 1.6, APIs: 1, Instructions: 94
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0082AC36

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 9b4f638a5d858af1df3ff234a1f9ff31389456be0dd80e62bbd7d8015b80c308
Instruction ID: a125e2934fbaa319a0133261f02d5da2cb2531b65c7fabc30d6532764c5cc6be
Opcode Fuzzy Hash: 9b4f638a5d858af1df3ff234a1f9ff31389456be0dd80e62bbd7d8015b80c308
Instruction Fuzzy Hash: 94316D7250E7C06FD3138B618CA5A56BFB4AF47210F1A84CBD8C4CF5A3D2296819C762

Function 0082A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0082A67D

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4958038e79f48b757720da1c4a81cc9015de9c702a35ec0e789a702b81bc3783
Instruction ID: 376277909bc77aa4e91ece9b26ada2d0d0f495b06c49dd7f1dbd31fb461994aa
Opcode Fuzzy Hash: 4958038e79f48b757720da1c4a81cc9015de9c702a35ec0e789a702b81bc3783
Instruction Fuzzy Hash: 68318F71505340AFE721CF65DC44F62BFE8EF05224F08889EE9858B652E365E809CB71

Function 0082A120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0082A1C2

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: bea61067c94266db96f3ba37199dfcf6175dea2a7cfdf1dc834675a161fc3d80
Instruction ID: f6d90ab527028e772c9c162508afe4852a56264dd3f021c5b2229c37a3f817b3
Opcode Fuzzy Hash: bea61067c94266db96f3ba37199dfcf6175dea2a7cfdf1dc834675a161fc3d80
Instruction Fuzzy Hash: 9221A17150D3C06FD3128B258C61BA6BFB4EF47614F1985CBD884CF693E225A91AC7A2

Function 0082AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0082ADA7

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8feb4a2252a1c2a3c5d337dea38b9b96bfe021da33697945fdf25ed85408c439
Instruction ID: e9acd54e00548bc9a8cc84173252b1a05fd615dfc93cca25a08dbe6078abdfe5
Opcode Fuzzy Hash: 8feb4a2252a1c2a3c5d337dea38b9b96bfe021da33697945fdf25ed85408c439
Instruction Fuzzy Hash: 2B219272500204AFEB219F55DC44FABBBECEF04324F14886AE945CAA51E734E449CB61

Function 0082A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,D90597B9,00000000,00000000,00000000,00000000), ref: 0082A40C

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 17b816f3e68c13147d20814b6df933292406214e9b27ef03d9f5d5bba0af491e
Instruction ID: d95910bee60c6959d75d5a2d4cdccd06bd76809a3d512eec10d1ab803646f3ec
Opcode Fuzzy Hash: 17b816f3e68c13147d20814b6df933292406214e9b27ef03d9f5d5bba0af491e
Instruction Fuzzy Hash: 02218D75504744AFD721CF11DC88FA7BBF8EF05710F08849AE945CB252D364E949CB62

Function 0082B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0082B2F3

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cb9753a522218f3362ef481bb3dacf9e6af02920fd2c4408187046fad46fdeba
Instruction ID: 6783ebce055e00eb46cab0432a8b6664eef565bc322901f7dc8fac9622df28f8
Opcode Fuzzy Hash: cb9753a522218f3362ef481bb3dacf9e6af02920fd2c4408187046fad46fdeba
Instruction Fuzzy Hash: E5219072500304AFEB21DF65DC45FABBBECEF04324F04886AE945CBA51E774E5488BA1

Function 0082A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,D90597B9,00000000,00000000,00000000,00000000), ref: 0082A8DE

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0f4ebaa3727489ee91c9375eef1157b4dcb176cfd5c53d30785b20799be063df
Instruction ID: 78478f1170992d2f5c445fa09f88d9b1e44a9378d55aa38b6f0ebb4e90444816
Opcode Fuzzy Hash: 0f4ebaa3727489ee91c9375eef1157b4dcb176cfd5c53d30785b20799be063df
Instruction Fuzzy Hash: 4321C4714083806FE7128F11DC44FA7BFB8EF46714F0984DBE994CB652D224A849C771

Function 0082A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,D90597B9,00000000,00000000,00000000,00000000), ref: 0082A9C1

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 53b749f93a1ed04193ee98dee7e4bf12ae53092e27c475b256338f48ff173cc5
Instruction ID: 1651c4b7989457d54338a4cac10cd758a668e84b0203f952180edddcba49c1ec
Opcode Fuzzy Hash: 53b749f93a1ed04193ee98dee7e4bf12ae53092e27c475b256338f48ff173cc5
Instruction Fuzzy Hash: 0621A171409380AFDB228F51DC44F97BFB8EF06314F0888DAE9958B252D265A449CBA2

Function 0082A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0082A67D

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1914a1e75727199097c795309215fce40dd2cd072569f3ed00dabed688dbb7d2
Instruction ID: b5eada997a963dbb3ce3132ca935676a823e44a45190813dd257a876a59cc6a8
Opcode Fuzzy Hash: 1914a1e75727199097c795309215fce40dd2cd072569f3ed00dabed688dbb7d2
Instruction Fuzzy Hash: 2D21B071500204AFE721DF25DC85FA6FBE8FF08314F088869E945CB651E375E848CB62

Function 0082A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,D90597B9,00000000,00000000,00000000,00000000), ref: 0082A815

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 79756b2c673575d213118d11998f340042a8d49e0fa8b2576e77e5d49243fe75
Instruction ID: 43973a2866dd55702eb161a4d425483bca6120049c86c1b6f6eea4def7c6964a
Opcode Fuzzy Hash: 79756b2c673575d213118d11998f340042a8d49e0fa8b2576e77e5d49243fe75
Instruction Fuzzy Hash: 7A21D5B54093806FE7128B11DC44BA7BFB8EF47714F0880DBE9948B293D264A909C772

Function 0082AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0082AA8B

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: dcf0eb16a29c97ccc0478ccc3de8b375dbce2a5b5704b22bb039d162dd3f616f
Instruction ID: 4b29178c34f84cad6d2e5e181512a92b8bd29fc9e60e54ce950d0dbfdbe9b5a7
Opcode Fuzzy Hash: dcf0eb16a29c97ccc0478ccc3de8b375dbce2a5b5704b22bb039d162dd3f616f
Instruction Fuzzy Hash: 0F21AF715093C05FDB12CB29DC55B93BFE8EF06314F0D84EAE885CB153E2249949CB61

Function 0082A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,D90597B9,00000000,00000000,00000000,00000000), ref: 0082A40C

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: decb574f74eaa190244a481b985cacde4c6bde5e5ed76476f991cb720af51d2b
Instruction ID: 1aa54e890eac617b99de2c64a8ab6a838501bd90cb9345feb9a3f0b73ac97722
Opcode Fuzzy Hash: decb574f74eaa190244a481b985cacde4c6bde5e5ed76476f991cb720af51d2b
Instruction Fuzzy Hash: C0216D756006049FE720DF15DC88FA7F7E8EF04714F04845AEA55CB751E364E889CAB6

Function 0082A6D4 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0082A748

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b1f76e0c6ae2555dfd8a028cd343fdf5883a741c7f0905a01c16fdd87625b30c
Instruction ID: cd80d3d325daec7561bd542d89ec82898dd90f059b9bea8136109f91721a1950
Opcode Fuzzy Hash: b1f76e0c6ae2555dfd8a028cd343fdf5883a741c7f0905a01c16fdd87625b30c
Instruction Fuzzy Hash: E921A1B59097C09FD7128B25DC95752BFB4EF07324F0984DBDC858B5A3D2249948C762

Function 0082A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,D90597B9,00000000,00000000,00000000,00000000), ref: 0082A9C1

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 735bf898845368c6308ab410f4e712bb6477e12bff7f5200c25b7ec88f19c268
Instruction ID: 37941832ef0ab8d35ad373b91863542e8278f80f74ac8c076c684f6bb8762870
Opcode Fuzzy Hash: 735bf898845368c6308ab410f4e712bb6477e12bff7f5200c25b7ec88f19c268
Instruction Fuzzy Hash: 2911B671400204AFD721CF55DC84B97FBE8EF04718F14845AEA558A651D374A488CBB2

Function 0082A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,D90597B9,00000000,00000000,00000000,00000000), ref: 0082A8DE

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 238c78bfac165bf857210c847027b893016c594facd30d1fb36139d72964d0e5
Instruction ID: 28fa8a5e1908ab892b7491a6ce7b745a3777cb297303c55322d6584429c9f945
Opcode Fuzzy Hash: 238c78bfac165bf857210c847027b893016c594facd30d1fb36139d72964d0e5
Instruction Fuzzy Hash: 0511B271400204AFEB218F55DC84BA7FBE8EF44724F14846AEA558B651D374A4898BB2

Function 0082A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0082A30C

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 864e00980e790362a28cf89f7f36f4885b7e71ac6f93a236b136983a93163981
Instruction ID: 52de1c331fa7469efa4826c918dae24671f08a94e42572447377490cc8ca3962
Opcode Fuzzy Hash: 864e00980e790362a28cf89f7f36f4885b7e71ac6f93a236b136983a93163981
Instruction Fuzzy Hash: CA11A3758093C09FD7228B25DC94A52BFB4EF07224F0984DBDD858F263D265A848CB72

Function 0082AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0082AFE4

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: c9ea4e7fcd8f8afbc0d6105358831225249f193f2cc4cb2e6649c66acc686fb5
Instruction ID: f3cfa4220e36cee03f735478e00c921688221d7f3df5119313d9230636164cb5
Opcode Fuzzy Hash: c9ea4e7fcd8f8afbc0d6105358831225249f193f2cc4cb2e6649c66acc686fb5
Instruction Fuzzy Hash: E8119A755097C09FDB128B25DC85A53BFF4EF06220F0984DAED958B262D264A848CB62

Function 0082B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0082B208

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 43ec7aa44882378ee1271fcf27fa0cf40e5c5991a3204b61f1dec18918829f7c
Instruction ID: 24600269c781b593c97b36235d42d7b93b9b3d250f400bedb23df179541e496f
Opcode Fuzzy Hash: 43ec7aa44882378ee1271fcf27fa0cf40e5c5991a3204b61f1dec18918829f7c
Instruction Fuzzy Hash: AB1170714093C09FDB12CF15DC94B56BFB4EF46224F0884DAED858F252D275A948CB62

Function 0082A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,D90597B9,00000000,00000000,00000000,00000000), ref: 0082A815

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 22f4e388773236997d2ed92c14c51674450b325a581b1dc9d5c0063097002611
Instruction ID: 27c426fceec2b99dc760c9dd56f4418d333c710a347f38fde337081b995c9b44
Opcode Fuzzy Hash: 22f4e388773236997d2ed92c14c51674450b325a581b1dc9d5c0063097002611
Instruction Fuzzy Hash: F701DB755042449FE760CF05DC84BA7FBE8EF44728F14C066EE158B741E374E8498AB6

Function 0082AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0082AA8B

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 1574a0bb01db839e881db15988af6bf3c098627c1e0530db162713f14652e47b
Instruction ID: 166cf1c6e52c6f6a271aafc3989a2922583a59f4a163cfe86520579a0ac8bae6
Opcode Fuzzy Hash: 1574a0bb01db839e881db15988af6bf3c098627c1e0530db162713f14652e47b
Instruction Fuzzy Hash: D6115E716002549FEB14CF19E985B57BBE8EF04724F08C4AADD0ACB652E674E884CB62

Function 0082ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0082AC36

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 7b30319a7ef99d0af0a2f027e388f2c4ab340801333208d3323711ec1ae6dea6
Instruction ID: 23cdd4b6523b61ca9cf6f8e7f4358a3fe1e0fe4b33e01f727aae74fe10513b01
Opcode Fuzzy Hash: 7b30319a7ef99d0af0a2f027e388f2c4ab340801333208d3323711ec1ae6dea6
Instruction Fuzzy Hash: 2F01B171500600AFD350DF16DC86B66FBE8FF88A20F14855AEC089B741E731B915CBE1

Function 0082A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0082A1C2

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: fa5bb37279bed6e089b8945f12913a7880f4da6e09a69c8826e4b74ec096eed0
Instruction ID: 7f278274ca0cf3dcb5eba539355f2d5e470df65f1d386475c369f38d129573d4
Opcode Fuzzy Hash: fa5bb37279bed6e089b8945f12913a7880f4da6e09a69c8826e4b74ec096eed0
Instruction Fuzzy Hash: 1F01B171500600AFD350DF16DC86B66FBE8FF88A20F14855AEC089B741E735B915CBE1

Function 0082A716 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0082A748

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bdf145a739450b9d5ec92bbee56ece59fd8592e1e8390f195ed33c0716331c97
Instruction ID: e86b3dcf779aa86d6653fde306d30f8471d12258d0cef0242b9454643cc29a90
Opcode Fuzzy Hash: bdf145a739450b9d5ec92bbee56ece59fd8592e1e8390f195ed33c0716331c97
Instruction Fuzzy Hash: 94018F759002448FDB108F19E9857A6FBE4EF04724F18C4AADD49CB652D279E888DAA2

Function 0082AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0082AFE4

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9cc11c1a30744c0d5ae7fa83c6f67e3a82dead83b4dc7a1178bab72a40e739a0
Instruction ID: 71b65e2c02fb0c5ea1f1466cfdfde2cf3bbbe357f83880e649296eeeed88a44c
Opcode Fuzzy Hash: 9cc11c1a30744c0d5ae7fa83c6f67e3a82dead83b4dc7a1178bab72a40e739a0
Instruction Fuzzy Hash: 2801D6755016448FDB108F15E884763FBE4EF04324F08C0AADD158B751E779E888DEA2

Function 0082A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0082A30C

Memory Dump Source

Source File: 00000000.00000002.3809855546.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b6621b21506a300751c264c0a1cf4e1343aa09bd0d5603cab176e2bf43656381
Instruction ID: 8fdd52f2df066b0fb8fd698e123e6d538205762d6f0d0590ebaa9deb114691c1
Opcode Fuzzy Hash: b6621b21506a300751c264c0a1cf4e1343aa09bd0d5603cab176e2bf43656381
Instruction Fuzzy Hash: 26F0A4354042448FDB20CF05E888762FFE0EF04728F08C09ADD058B752D379A888CAA2

Function 049F0798 Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

\O5l, xrefs: 049F0966

Memory Dump Source

Source File: 00000000.00000002.3811116667.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49f0000_unarchiver.jbxd

Similarity

API ID:
String ID: \O5l
API String ID: 0-1030507070
Opcode ID: e35d18c29fb24ffc57b56c9dcdd00e93e1cada84961ca7c1aeeb7ebda9f65e5e
Instruction ID: d67016c64188f9f23763667389dfba115ea58229ee65bded416aae0a5838aa60
Opcode Fuzzy Hash: e35d18c29fb24ffc57b56c9dcdd00e93e1cada84961ca7c1aeeb7ebda9f65e5e
Instruction Fuzzy Hash: 43A18A38B002048FDB08EBB4D8547BE77A7AFC8308F148469EA0697B95DB75AD46CB51

Function 049F02C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3811116667.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be827840377b2dfb1a8e98ab4cfa874ae38afd6a64b98be2bb9d1b28997e9ebf
Instruction ID: 6c1ee6664e1e87cb3191a0daba4d3d002b2e2fe6e1001bb5a969c438aaee62f0
Opcode Fuzzy Hash: be827840377b2dfb1a8e98ab4cfa874ae38afd6a64b98be2bb9d1b28997e9ebf
Instruction Fuzzy Hash: 64B15B3D705610CFCB18EB65E858A5A7BF6FFC9340B5085A4EA069BB59DB31AC01CF90

Function 049F0B8F Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3811116667.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 974337d13978af284c1b0a06fcfb6ac3b442c49a4d90beec9d2006d2bd4760c8
Instruction ID: e9cc47ba9741fbea6552ef3b8a6174e39292a4403636f7f40a3be7ab17f85771
Opcode Fuzzy Hash: 974337d13978af284c1b0a06fcfb6ac3b442c49a4d90beec9d2006d2bd4760c8
Instruction Fuzzy Hash: 7811B939A1411C9FCF55DBB4D8509DFBBF2AF882047054479EA06D7765DB31A81ECB80

Function 049F0BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3811116667.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f4006f285fab24a923103dfac885d46d7009a941d4d7b96c2888a47a6aba61e
Instruction ID: 37fc72a9f8eb157773dd7769dde00826929f806cc35a088612aa210d1b8d8cf9
Opcode Fuzzy Hash: 2f4006f285fab24a923103dfac885d46d7009a941d4d7b96c2888a47a6aba61e
Instruction Fuzzy Hash: 57119136A1011CAFCB44DBB8D8449DFB7F6BF88214B054475EA06E7764EB31A80ACB80

Function 00D5080B Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3810215903.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414337bf05c27663cb095f904fe34441b2877ca7ad0863b487386b009718a375
Instruction ID: fbfefd31e70f178489c4310b32c16fea9eabfbe0a4f858030dfe89509f4a1855
Opcode Fuzzy Hash: 414337bf05c27663cb095f904fe34441b2877ca7ad0863b487386b009718a375
Instruction Fuzzy Hash: E301D4B64096406FD301CF15EC41C57FFFCDF86524F08C8AAEC488B212E221A9188BF2

Function 00D505E3 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3810215903.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 147c2cc018310a87034c1ed03a1e3a2c09390cf83d81f79c4f0f192a6cd5be88
Instruction ID: 03fe6982f4607ac4d9701b774a497ce37f0554d1a8a389fe1ff6badf39b46899
Opcode Fuzzy Hash: 147c2cc018310a87034c1ed03a1e3a2c09390cf83d81f79c4f0f192a6cd5be88
Instruction Fuzzy Hash: D5F0A4B65097806FD7118F16EC44863FFF8EF86620709C49FED498B612D225A808CBB2

Function 00D5082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3810215903.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61f972c46b6ce89bae3594d5d81ad4267167dcf35093d623a279d1a40e37197
Instruction ID: c662ec3f4fbc2ea4a2597fd638aebe4383aa3677709e4c846c9ba4123d1c961f
Opcode Fuzzy Hash: e61f972c46b6ce89bae3594d5d81ad4267167dcf35093d623a279d1a40e37197
Instruction Fuzzy Hash: D7F082B6905204AFD340DF05ED85856F7ECEF84521F04C56AED088B700E276A9194BF2

Function 049F0C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3811116667.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 548d6040627a66a6dfe4b8a28d6b623bb5bc5650491c48c88d43be116e1c99da
Instruction ID: 356c543e6f3f1b2832cd1173f1cf14b1cf3b0c5dc91a35fc802bbccfc4185194
Opcode Fuzzy Hash: 548d6040627a66a6dfe4b8a28d6b623bb5bc5650491c48c88d43be116e1c99da
Instruction Fuzzy Hash: AFE0D821F153581FCB04DAB844546DE3FA19BD5064F8545B9C408D7781DA3498468381

Function 00D50606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3810215903.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6d500a1109a23314081d3ca61cbf71d364002017630ae72df7ae300552dcaa
Instruction ID: d36b4f5ac3e877a8c654401162f28f741a9b6b133586246bda5ba84dcd4ffd0b
Opcode Fuzzy Hash: bf6d500a1109a23314081d3ca61cbf71d364002017630ae72df7ae300552dcaa
Instruction Fuzzy Hash: C8E092B66006044BD650CF0AFC81452F7E8EB88630748C47FDC1D8B711E635B548CAE5

Function 049F0C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3811116667.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408798d2cb0d4d924f715b0fbff40209e255224048d51635afcc5cbb02ec750e
Instruction ID: ef7e32cf0c03e2af62a715b9a4b639a96cf7d65e9a93041ba298b2476b6497ac
Opcode Fuzzy Hash: 408798d2cb0d4d924f715b0fbff40209e255224048d51635afcc5cbb02ec750e
Instruction Fuzzy Hash: 69D0C231F0021C1B8B04EAB958005DE7BEA9BC4064B4040798409D3740EE30A84583D0

Function 049F0E08 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3811116667.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a444dd3c4424b2ad909597d356ed08c0baaa806113d68d47283cc4b6d9ee9986
Instruction ID: a8692e69f670649788158e082407b722c657320b5e65b935c2417146172a1cc2
Opcode Fuzzy Hash: a444dd3c4424b2ad909597d356ed08c0baaa806113d68d47283cc4b6d9ee9986
Instruction Fuzzy Hash: 44E0C2251993804FCB05E3709C195953F641FDA204F89C1E68C088B2A3C220E84AC301

Function 049F0DD1 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3811116667.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7523b6a498d0eae5fcd8de55d06cb8308f26b68c843d1ade8bb63266bf0b8610
Instruction ID: 76058b5e4f38b50cc48a9f00a6ddae1b7072972771908021fc966a7ee3a5ef3f
Opcode Fuzzy Hash: 7523b6a498d0eae5fcd8de55d06cb8308f26b68c843d1ade8bb63266bf0b8610
Instruction Fuzzy Hash: 81E0C22418D3804FC702D3348C249A63F752FE1204F89C1EAC848CB6A7C220A849C740

Function 008223F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3809843822.0000000000822000.00000040.00000800.00020000.00000000.sdmp, Offset: 00822000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_822000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c74e25358352397951d27384748651d2ad88a0e13a89705ae4d046b43fe8e7
Instruction ID: 310db425f42a574ade94b2fb94959d0cff59097ec72faed9abda7735a2bbcbaa
Opcode Fuzzy Hash: d6c74e25358352397951d27384748651d2ad88a0e13a89705ae4d046b43fe8e7
Instruction Fuzzy Hash: DED02E792006D04FD312EA0CD2A4B8537D4BB40704F0A00FAAC00CB763C768D9C0C600

Function 008223BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3809843822.0000000000822000.00000040.00000800.00020000.00000000.sdmp, Offset: 00822000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_822000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bfa1f347ee98b4943a8dcb8652b04c7b04d4287ace955a06cb7b83627de37bb
Instruction ID: ec5c16e0d3a4e5a658b2482bb39cf2632ace16ae26340f7560fb5c55c81da233
Opcode Fuzzy Hash: 1bfa1f347ee98b4943a8dcb8652b04c7b04d4287ace955a06cb7b83627de37bb
Instruction Fuzzy Hash: 02D05E342002814BC719DA0CD2D8F5977D4BF40715F0644E8AC10CB772C7B8D8C0CA00

Function 049F0E18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3811116667.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d1bf014128147fa4d3bb12dca1f967edf5e6a2f236e91724b9c542c585bb86
Instruction ID: f48f3e543a351581abdb0db340a89482726b1b1ada443147354e7c8c07eef3c1
Opcode Fuzzy Hash: c9d1bf014128147fa4d3bb12dca1f967edf5e6a2f236e91724b9c542c585bb86
Instruction Fuzzy Hash: DEC012312103088FC704A768DD18A29779D6BC4308F84C07459080B756CB70F840C740

Function 049F0DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3811116667.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49f0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff506d1d456aac765fe9756c957fc4e192198f6023a79724535b700e715b168
Instruction ID: da08d33f6c89aeec813fd6cc97bdf1b97b630bf5e5414d40a792ffc6889b172e
Opcode Fuzzy Hash: 1ff506d1d456aac765fe9756c957fc4e192198f6023a79724535b700e715b168
Instruction Fuzzy Hash: 33C012302103088FD704A768DC18A26739E6BC0318F45C07499080B756CB70F840C780

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Aseprite1.3.7.x64.b.taiwebs.com.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: unarchiver.exePID: 7780, Parent PID: 3504

General

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Other File Operations

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Sections loaded by Program

Registry Activities

Key Opened

Key Value Queried

Windows Analysis Report
Aseprite1.3.7.x64.b.taiwebs.com.zip