Edit tour

Windows Analysis Report
ATT00004.zip

Overview

General Information

Sample name:	ATT00004.zip
Analysis ID:	1544863
MD5:	1bdac065cd8abdafdad2aa0f8b881428
SHA1:	6657fc8396e80a79b4b2525dc5f27a92d5e2b7cb
SHA256:	35d26ed6734c6903e52a887fa243f46626bf4d8787352b79a6399a2d8b980edf
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

System is w10x64

unarchiver.exe (PID: 5500 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\ATT00004.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 6900 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\b22xvwxz.elc" "C:\Users\user\Desktop\ATT00004.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 3364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown

DNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: classification engine

Classification label: clean2.winZIP@4/1@1/0

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3364:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\ATT00004.zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\b22xvwxz.elc" "C:\Users\user\Desktop\ATT00004.zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\b22xvwxz.elc" "C:\Users\user\Desktop\ATT00004.zip"	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 1480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 14F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 575			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 9397			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5472	Thread sleep count: 575 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5472	Thread sleep time: -287500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5472	Thread sleep count: 9397 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5472	Thread sleep time: -4698500s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_0142B286 GetSystemInfo,

0_2_0142B286

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\b22xvwxz.elc" "C:\Users\user\Desktop\ATT00004.zip"

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	2 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
198.187.3.20.in-addr.arpa	unknown	unknown	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544863
Start date and time:	2024-10-29 19:38:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ATT00004.zip
Detection:	CLEAN
Classification:	clean2.winZIP@4/1@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 48 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .zip Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: ATT00004.zip

Simulations

Behavior and APIs

Time	Type	Description
16:25:23	API Interceptor	3942595x Sleep call for process: unarchiver.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Download File

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3337
Entropy (8bit):	4.983741366665018
Encrypted:	false
SSDEEP:	48:RNUtM0Nd9LSLG8LGb8LG8LGpmLGN+bLG8LGpStM0NLGbSLGbtM0NLGcNLGHLG8Lb:LOBzHa5RYm7
MD5:	2E990A3870FA519FB875431804384180
SHA1:	07A178312CDFB3E289189982943092E152E7868C
SHA-256:	4B52FE759FD54D851C31463FDA4F1622A872CC9001E4FDB8BF1CF937443595D0
SHA-512:	C81CCEB9CE920F9F66A43FE578459A129E8A135D8AD9C82A3A4293B434F36F723FF48ADF0870DEB22E63F77CB9222F33B447F841603BDFDF96664299231DC7B9
Malicious:	false
Reputation:	low
Preview:	10/29/2024 2:39 PM: Unpack: C:\Users\user\Desktop\ATT00004.zip..10/29/2024 2:39 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\b22xvwxz.elc..10/29/2024 2:39 PM: Received from standard error: ERROR: Wrong password : ATT00004..10/29/2024 2:39 PM: Received from standard out: ..10/29/2024 2:39 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..10/29/2024 2:39 PM: Received from standard out: ..10/29/2024 2:39 PM: Received from standard out: Scanning the drive for archives:..10/29/2024 2:39 PM: Received from standard out: 1 file, 202 bytes (1 KiB)..10/29/2024 2:39 PM: Received from standard out: ..10/29/2024 2:39 PM: Received from standard out: Extracting archive: C:\Users\user\Desktop\ATT00004.zip..10/29/2024 2:39 PM: Received from standard out: --..10/29/2024 2:39 PM: Received from standard out: Path = C:\Users\user\Desktop\ATT00004.zip..10/29/2024 2:39 PM: Received from standard out: Type = zip..10/29/2024 2:39 PM: Rece

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	4.237858396304879
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	ATT00004.zip
File size:	202 bytes
MD5:	1bdac065cd8abdafdad2aa0f8b881428
SHA1:	6657fc8396e80a79b4b2525dc5f27a92d5e2b7cb
SHA256:	35d26ed6734c6903e52a887fa243f46626bf4d8787352b79a6399a2d8b980edf
SHA512:	6fdf02d74f682139803d1463c0c41e8c4ca8cbacae0af24d7d19051f1e066eae7a8661cfeb808d8403adb175945337d9551cdaee02872dfa2b0df8ec65296a12
SSDEEP:	3:vhjkVgRntRlEdRXjkl6yHPcsQeK9K1ukcaXtVgRntRlUVdRXjkl6yHPz/+lOlXt:5juL/klvztcSDL/klt+lK9
TLSH:	00D080F71F62D384DD1D4F3C06D54300A4F0F41473131532150311015C814585FDB1A4
File Content Preview:	PK..........]Y..............$.ATT00004.. .............0......0......0..Ru..<.#....;o..MPK..-.........]Y..............$...............ATT00004.. .............0......0......0..PK..........Z...Z.....

File Icon


Icon Hash:	90cececece8e8eb0

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 19:39:44.852516890 CET	53	58785	162.159.36.2	192.168.2.7
Oct 29, 2024 19:39:45.500020981 CET	54421	53	192.168.2.7	1.1.1.1
Oct 29, 2024 19:39:45.510052919 CET	53	54421	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 29, 2024 19:39:45.500020981 CET	192.168.2.7	1.1.1.1	0xe271	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 29, 2024 19:39:45.510052919 CET	1.1.1.1	192.168.2.7	0xe271	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: unarchiver.exePID: 5500, Parent PID: 4056

General

Target ID:	0
Start time:	14:39:09
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\ATT00004.zip"
Imagebase:	0xb20000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: 7za.exePID: 6900, Parent PID: 5500

General

Target ID:	2
Start time:	14:39:10
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\b22xvwxz.elc" "C:\Users\user\Desktop\ATT00004.zip"
Imagebase:	0xdb0000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3364, Parent PID: 6900

General

Target ID:	3
Start time:	14:39:10
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: unarchiver.exePID: 5500, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	21.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	80
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0142B286 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0142B2B8

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: debb0adb4ab9de2c9a2e35df7b01e72b7fe3d4d3be4ce6f11748c974fa72dea7
Instruction ID: 0b609c63aa74a598aa9e8073bed664425a8a66f77f9078ddd86359bdf7087452
Opcode Fuzzy Hash: debb0adb4ab9de2c9a2e35df7b01e72b7fe3d4d3be4ce6f11748c974fa72dea7
Instruction Fuzzy Hash: AA01A2758043508FEB10CF16D889756FBE4DF05220F48C4ABDD488F256D2B5A584CBB2

Function 015A0C99 Relevance: 3.8, Strings: 3, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P@l, xrefs: 015A0CC8
`>l, xrefs: 015A0D37
`>l, xrefs: 015A0D62

Memory Dump Source

Source File: 00000000.00000002.3704821347.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_unarchiver.jbxd

Similarity

API ID:
String ID: P@l$`>l$`>l
API String ID: 0-677101323
Opcode ID: 5169dc83cb44d0e67f4b7a1f034efd7579542e3df55a592890f16f7abadadc23
Instruction ID: b405be847cad20135009ce29064b0fbb508456541066eea320122a470cd36aa7
Opcode Fuzzy Hash: 5169dc83cb44d0e67f4b7a1f034efd7579542e3df55a592890f16f7abadadc23
Instruction Fuzzy Hash: 9F216B307006208FC714DB7684517AE7AE6EFC9204B84842DD646DB350CFBAEE078BD2

Function 015A0CA8 Relevance: 3.8, Strings: 3, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P@l, xrefs: 015A0CC8
`>l, xrefs: 015A0D37
`>l, xrefs: 015A0D62

Memory Dump Source

Source File: 00000000.00000002.3704821347.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_unarchiver.jbxd

Similarity

API ID:
String ID: P@l$`>l$`>l
API String ID: 0-677101323
Opcode ID: d528ca9cc71448de9847d9bc60b68cd6adee85ecc46e4cfefcfcb8b899202b75
Instruction ID: 2f701f5e84ae5ca98b047cead44f9bb88f1286b290d658c3e8095fac5e36988c
Opcode Fuzzy Hash: d528ca9cc71448de9847d9bc60b68cd6adee85ecc46e4cfefcfcb8b899202b75
Instruction Fuzzy Hash: B42149307007208BC710EB7684506AEBBE6AFC9204B80842DD246DB740CFB9EE028BD5

Function 0142A120 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0142A1C2

Strings

Z, xrefs: 0142A146

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID: Z
API String ID: 2029273394-1505515367
Opcode ID: 7cbbd44f1ca99d4f1c420ed2d56f9a2fcb0b3ee89bcd8154096a7d3ba327c94d
Instruction ID: 1b3caa5f3ca93bf51521d7f8e7fa9c730f2c77c93524c3cfd0400e7c416a7e6b
Opcode Fuzzy Hash: 7cbbd44f1ca99d4f1c420ed2d56f9a2fcb0b3ee89bcd8154096a7d3ba327c94d
Instruction Fuzzy Hash: 2721E27150D3C06FD3028B258C65B62BFB4EF87710F0A85DBD8C48F193D265A919C7A2

Function 015A0799 Relevance: 2.8, Strings: 2, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@Yl, xrefs: 015A0822
:@Yl, xrefs: 015A08B5

Memory Dump Source

Source File: 00000000.00000002.3704821347.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_unarchiver.jbxd

Similarity

API ID:
String ID: :@Yl$:@Yl
API String ID: 0-1237330149
Opcode ID: e18d0ddf07335e01283a575a10f3973fd5224f503a3c1269a23ae8f9254b7c92
Instruction ID: f8574b52d1670b1c3ffa62c9d46c51c0ab414dc2fa5664737eefbb102d79c493
Opcode Fuzzy Hash: e18d0ddf07335e01283a575a10f3973fd5224f503a3c1269a23ae8f9254b7c92
Instruction Fuzzy Hash: 40A18E34B002158BDB149FB6D5687BEB7B7FB88308F158029DA069B398DFB98D41CB51

Function 0142A676 Relevance: 1.6, APIs: 1, Instructions: 101
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0142A72D

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 842c51088a68a65142b054a1e689200063b4caf6568dfd4ad5a64b173e54489a
Instruction ID: 5d56f8cc0e68efabfb2df9adf516b29a654d0df848cce4f6dd26a671c9dd83fc
Opcode Fuzzy Hash: 842c51088a68a65142b054a1e689200063b4caf6568dfd4ad5a64b173e54489a
Instruction Fuzzy Hash: 7B3190715093806FE722CB65DC44B62BFF8EF06210F08849AE9858B663D275E809DB71

Function 0142B2F6 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0142B3A3

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3b1419c596c69d78289fe7ed83365c2182219bd6aa899c648ad3c532c982d9ca
Instruction ID: 23db1f5fd3b277403cecfe32eb57dce3b000ec6ec60eb9c802b62ea20bb1db59
Opcode Fuzzy Hash: 3b1419c596c69d78289fe7ed83365c2182219bd6aa899c648ad3c532c982d9ca
Instruction Fuzzy Hash: CF319476408344AFE7228B65DC45FA7BFFCEF05214F09849AEA85CB162D364A909CB71

Function 0142ADB4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0142AE57

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 05dca6647010a8692306cfd103ce1ef2671ec1b75913a1bc4a5a9263c5fb4825
Instruction ID: 78eb33ae2a0db80139c4340bfa91357f5e68b98aeaba16e0698cdd2fc9d45523
Opcode Fuzzy Hash: 05dca6647010a8692306cfd103ce1ef2671ec1b75913a1bc4a5a9263c5fb4825
Instruction Fuzzy Hash: 4C31B571548344AFEB228F65DC44F67BFECEF05224F09889AF985CB552D364A409CB61

Function 0142AC26 Relevance: 1.6, APIs: 1, Instructions: 94
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0142ACE6

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: d5dd8b70dfb0def3680a764e425ae63bc5fa0daa013432d2297723cabd71a667
Instruction ID: e4a033a965295eecfc9fc6feb629897b25d471556963f906f1dd49ee4223285b
Opcode Fuzzy Hash: d5dd8b70dfb0def3680a764e425ae63bc5fa0daa013432d2297723cabd71a667
Instruction Fuzzy Hash: 86318C7250E3C06FD3138B618C65A61BFB4AF47610F1A84CBD8848F1A3D2686809C7A2

Function 0142ADDA Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0142AE57

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2db1006c2035142f2f34ef3f38a7bfeba8363a0073d590fb4c55aa05b0e47e5a
Instruction ID: cc5323f7ab2d73ee80b9791e8598ccbdac622103399641c1653ced4b544deed3
Opcode Fuzzy Hash: 2db1006c2035142f2f34ef3f38a7bfeba8363a0073d590fb4c55aa05b0e47e5a
Instruction Fuzzy Hash: 6521C172544204AFEB219F55DC44F6BBBECEF04324F04886AEE45CB656D370E4498BA1

Function 0142A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,E21542A3,00000000,00000000,00000000,00000000), ref: 0142A40C

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ce904d81b3eca5c6adc904c779336d32db3026647b0ffb5684e02c63482846eb
Instruction ID: 5c71ad115f1dfb1b610586e26ea27ce6ac503351454c44361842f123d6f36dcb
Opcode Fuzzy Hash: ce904d81b3eca5c6adc904c779336d32db3026647b0ffb5684e02c63482846eb
Instruction Fuzzy Hash: F0218DB5508740AFE721CF15DC84F63BBF8EF05610F18849AEA45CB662D3A4E948CB61

Function 0142B326 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0142B3A3

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b3e45c25acb8819fd41861155b4a055a639750052b9f42e572c903bc389496b0
Instruction ID: 6428d93ac15f60291d7ab0502fa79f182e73cb52b3befe582fd75b9e79465908
Opcode Fuzzy Hash: b3e45c25acb8819fd41861155b4a055a639750052b9f42e572c903bc389496b0
Instruction Fuzzy Hash: 5921C176504304AFEB21CF65DC45F6BBBECEF08214F04886AEE45CB665D7B0E5488BA1

Function 0142A900 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,E21542A3,00000000,00000000,00000000,00000000), ref: 0142A98E

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 09323007fbd756de6f81fee2343658cba4c228a6b8dfc106b11c06a5e8b6f427
Instruction ID: 2e3193144f591ca8e03983e33380277b1a046bdc0c638083c181d4309ff99e39
Opcode Fuzzy Hash: 09323007fbd756de6f81fee2343658cba4c228a6b8dfc106b11c06a5e8b6f427
Instruction Fuzzy Hash: E921C1B55083806FEB228B15DC44F62BFB8EF46614F0984DBED848B553C264A909CBB1

Function 0142A9E3 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,E21542A3,00000000,00000000,00000000,00000000), ref: 0142AA71

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 44a690490552adaac9cc78e8fff576b46ecfa217a7206e1823407e4fb5980fb9
Instruction ID: 26f493ffa456ff30f6428e955567c1d5d4a23047976afc30dffe3074b6b10b1c
Opcode Fuzzy Hash: 44a690490552adaac9cc78e8fff576b46ecfa217a7206e1823407e4fb5980fb9
Instruction Fuzzy Hash: AA21A175409380AFDB228F51DC44F66BFB8EF06210F0884DAE9848B162C275A508CBA2

Function 0142A6AE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0142A72D

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fc319a526fbd890e1fc20a3a3815c51c8feebeacefbb3806376dc5c5d1536bab
Instruction ID: 77f6eaf485803c05b4f85591890f40244c8fb8ee4ceb0c8fd6cbe816f19d5de8
Opcode Fuzzy Hash: fc319a526fbd890e1fc20a3a3815c51c8feebeacefbb3806376dc5c5d1536bab
Instruction Fuzzy Hash: 6721B275504240AFEB21CF65DD85F66FBF8EF08210F18885AEE468B752D371E444CB65

Function 0142A83F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,E21542A3,00000000,00000000,00000000,00000000), ref: 0142A8C5

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: bb55a00001614816fa0bbb658a90caafc7c5546c6f272b0f7a8653878d51cdc5
Instruction ID: 2ff804b6927631e9ee54d61d01f3377f3cbf4fcee23d6e119055821d8e967d81
Opcode Fuzzy Hash: bb55a00001614816fa0bbb658a90caafc7c5546c6f272b0f7a8653878d51cdc5
Instruction Fuzzy Hash: 8B21D5B540D3806FE7128B15DC44BA2BFB8EF46314F0980DBED84CB293D2A4A909C771

Function 0142AABB Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0142AB3B

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 8f85c0ae1c0aa759c117886ff2c01a6f8eab27670b7ea35e7053eda6fd7d23fc
Instruction ID: d41c87c16b3d266487404e32b7d0e5e90e556d859e86bd6f4e3f1b9f50609560
Opcode Fuzzy Hash: 8f85c0ae1c0aa759c117886ff2c01a6f8eab27670b7ea35e7053eda6fd7d23fc
Instruction Fuzzy Hash: 912183755083C05FEB12CB29DC55B92BFE8AF06214F0984EBD984CB663D274D949CB61

Function 0142A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,E21542A3,00000000,00000000,00000000,00000000), ref: 0142A40C

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cd62e01224f2ad3e4fbd928fd7375f4b1c1e7436574206f9552750c0f9496b89
Instruction ID: 6bdd355c502f406ecae7026d792759ac5fe5bd98b6e5750b71edf28ee6050256
Opcode Fuzzy Hash: cd62e01224f2ad3e4fbd928fd7375f4b1c1e7436574206f9552750c0f9496b89
Instruction Fuzzy Hash: 7F21AE755046109FEB20CE15DC84F63F7ECEF04610F18846AEE45CB661D3B0E949CA71

Function 0142AA12 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,E21542A3,00000000,00000000,00000000,00000000), ref: 0142AA71

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 823cc4b150391f16a69b629f23561ad0d8061bfc826991d944450b9c6635ec98
Instruction ID: 0034c4fad0e0a083502f7b7e945204851099fca01135d0032c03ca27501bdaf0
Opcode Fuzzy Hash: 823cc4b150391f16a69b629f23561ad0d8061bfc826991d944450b9c6635ec98
Instruction Fuzzy Hash: F0110176404300AFEB21CF15DD40F66FBE8EF04324F18845AEE458B655C3B4A548CBB2

Function 0142A932 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,E21542A3,00000000,00000000,00000000,00000000), ref: 0142A98E

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 76884a46a2447a313e1349bb11ad7006b4a2746f35f92841188a9ce915697f5c
Instruction ID: c8a9804c0d52e1f4fcde585b0d3c60051dc761f4f9f3aaeb1f60803ba36495ee
Opcode Fuzzy Hash: 76884a46a2447a313e1349bb11ad7006b4a2746f35f92841188a9ce915697f5c
Instruction Fuzzy Hash: 1E112376504200AFEB21CF55DC80B66FBE8EF04320F19C85BEE488B655C3B0A448CBB2

Function 0142A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0142A30C

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 84b43007cbf68d8165a1db102691dbbea4f086e8c82e0da901596abd888b79c6
Instruction ID: 6db6d55beb320a71c8e1e72e25d78ff883495725a2864bf5265d24188d934443
Opcode Fuzzy Hash: 84b43007cbf68d8165a1db102691dbbea4f086e8c82e0da901596abd888b79c6
Instruction Fuzzy Hash: F21191754093C09FDB228B25DC54B52BFB4DF07220F0980DBDD848F663D275A949CB62

Function 0142A5DC Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,?), ref: 0142A636

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 2f7595a6204c30f1ba6fb94f94f3c3edaeaf4621227dc7b229bd9964637eaecf
Instruction ID: 860e2fa80c763ad4f5149d4f7a8ec2e4ce312f3b24873ab234abd7be070a5024
Opcode Fuzzy Hash: 2f7595a6204c30f1ba6fb94f94f3c3edaeaf4621227dc7b229bd9964637eaecf
Instruction Fuzzy Hash: 99116D714093849FDB21CF55DC89B52FFA4EF46220F0984AAED888B262D375A408CB61

Function 0142B264 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0142B2B8

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 30c647165c6031a2f090dc5f3101b2a3ab3d310da0b985d088c229a6a18227e8
Instruction ID: aea90444c4511622456752547c1cff30287c7d34f24c6c85a6b7543d6ed4e9b9
Opcode Fuzzy Hash: 30c647165c6031a2f090dc5f3101b2a3ab3d310da0b985d088c229a6a18227e8
Instruction Fuzzy Hash: 561170754093809FDB12CF15DC99B56BFB4DF46220F0984EBED848F253D275A948CB62

Function 0142A872 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,E21542A3,00000000,00000000,00000000,00000000), ref: 0142A8C5

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: a526bf010b0ee2a11bfbb2dfff749a8373eca149b696176e7c7e259bc7c09acd
Instruction ID: 727e1868ab8e817c190b661f274e47dd700af7126a00de14dcc352f4ccfba864
Opcode Fuzzy Hash: a526bf010b0ee2a11bfbb2dfff749a8373eca149b696176e7c7e259bc7c09acd
Instruction Fuzzy Hash: B1010075508250AEE7208B05DC84B66F7A8DF04324F18809AEE048B656D3F4A9898AA2

Function 0142AAF6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0142AB3B

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d407a93d3cecaf9209fd125e0f7d96e966a3f60e5d1d5f7d7006f8b122c67b68
Instruction ID: 05dbd20436e90637bdfc2f4ac069a2e9cf4c4d9aa0bd9fef712fe5389ccbb40e
Opcode Fuzzy Hash: d407a93d3cecaf9209fd125e0f7d96e966a3f60e5d1d5f7d7006f8b122c67b68
Instruction Fuzzy Hash: F311A5716042408FEB10CF19D884756FFD8EF04210F18C8ABDE05CB756E674D484CB61

Function 0142B03B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0142B094

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: be0df99f4e24e55b8ea618c27e6092dd5aaa051148ce0990b4809c0ff6719f81
Instruction ID: ab0157b785b2cc8cceaf9754cf480c0126cd9c636e5ef7facd772a962b55701c
Opcode Fuzzy Hash: be0df99f4e24e55b8ea618c27e6092dd5aaa051148ce0990b4809c0ff6719f81
Instruction Fuzzy Hash: 22119E755093809FDB128B29DC85B52BFF4EF06220F0984DBED858B263D278A848CB61

Function 0142A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0142A1C2

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 9781d3df73417f562dc1fc6019db1a7204420b60311ddd3542e1a8f1380ca261
Instruction ID: 02d3d966e1dd926c62bd4af89056765eebbdca4c2bf11d35eea5bc45093dcfaf
Opcode Fuzzy Hash: 9781d3df73417f562dc1fc6019db1a7204420b60311ddd3542e1a8f1380ca261
Instruction Fuzzy Hash: 0001D471940600AFD310DF16DC46B26FBE8FB88A20F14816AED089B741D771F915CBE1

Function 0142AC96 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0142ACE6

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: a501ffc9afe19d523adf9d6b375c540095d2ca89c8c7af53605f6283d2a9942f
Instruction ID: 8d492720d8a15be5098832c67d37e2b17b5fbc9994269df23b1125123d20fa1a
Opcode Fuzzy Hash: a501ffc9afe19d523adf9d6b375c540095d2ca89c8c7af53605f6283d2a9942f
Instruction Fuzzy Hash: 7B01B171940600ABD350DF16DC46B26FBE8FB88A20F14816AED089B641D771F915CBE1

Function 0142A5FE Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,?), ref: 0142A636

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 5b0dd87976fe8f77be14c941935657586d0d5fc5c2c8a4850514f78250092c4a
Instruction ID: c9ddfada21c3dcaceff1d052f1e83c63c75d1ab89437bfedf85c03f5d616b42d
Opcode Fuzzy Hash: 5b0dd87976fe8f77be14c941935657586d0d5fc5c2c8a4850514f78250092c4a
Instruction Fuzzy Hash: 2501A7758042409FDB20CF55D885B56FBE4EF44720F18C4ABDD898F656D375A448CF62

Function 0142B062 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0142B094

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 6069f31114fa5f30b55cedd84867b5ea389c9484b4f87c611c4f88e6cb87de9d
Instruction ID: d48dce31758b63cea04f57e62ee4028f08b86350e264eb32a88a34af614e9d7e
Opcode Fuzzy Hash: 6069f31114fa5f30b55cedd84867b5ea389c9484b4f87c611c4f88e6cb87de9d
Instruction Fuzzy Hash: D201F9755042408FDB118F19D885762FBD4DF04220F08C09BDD058B766D3B9E584CEA1

Function 0142A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0142A30C

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 191ab62811f6d466697f73d6f218dfee47cda6fa1fb3d5df8aa9897f5942ab26
Instruction ID: 8700e2379fee6b080277aad81aa7d8350ddd8c899df29e33b13426b14f7fd41e
Opcode Fuzzy Hash: 191ab62811f6d466697f73d6f218dfee47cda6fa1fb3d5df8aa9897f5942ab26
Instruction Fuzzy Hash: 4AF0A4354042908FDB108F0AE885762FBE0DF04625F58C09BDD054B766D3F5A584CAA2

Function 0142A784 Relevance: 1.3, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0142A7F8

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 007bcaa531a1805de2669ca1ae7318d577b0f1cf6433127c2174d0fa97d088fc
Instruction ID: 33e9341f736a82f4c3a74e402e68d0cf8da2e4c2656f9a38e024dada3adbc708
Opcode Fuzzy Hash: 007bcaa531a1805de2669ca1ae7318d577b0f1cf6433127c2174d0fa97d088fc
Instruction Fuzzy Hash: 3721B0755093C05FDB138B25DC95652BFA8AF07220F0980DBDC858B6A3D2649909C762

Function 0142A7C6 Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0142A7F8

Memory Dump Source

Source File: 00000000.00000002.3704353238.000000000142A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142a000_unarchiver.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1a39b7c6977bf92c2c1d372b612a417180445a151c74e624d2283eab1074d1df
Instruction ID: 7af7aeb45aec7fb2de1d11bccd9470998e0720da385f0731acec19e5370bf09a
Opcode Fuzzy Hash: 1a39b7c6977bf92c2c1d372b612a417180445a151c74e624d2283eab1074d1df
Instruction Fuzzy Hash: 83018F759042908FEB108F19E885766FBE4EF04220F58C4ABDD098B656D2B5E589CAA2

Function 015A02C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3704821347.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e950e5a8f6a0834ff0680b2a1454cd682b2aa2a28fe6b499e5bc7449e3d6cf
Instruction ID: 4c37d9b88455a84c485ced4cdb1f1931ff93c851d6e83dc64e8be72febd8b7a9
Opcode Fuzzy Hash: 07e950e5a8f6a0834ff0680b2a1454cd682b2aa2a28fe6b499e5bc7449e3d6cf
Instruction Fuzzy Hash: A6B13D78701110CFD718DFA7E968A5E7BBAFF88250B508169E9069F3D8DB389C85CB50

Function 014A0808 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3704725580.00000000014A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14a0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3427a69e9741bfd1924c3f03f7910697b5cefa3730ee8ebeed695f12157ead
Instruction ID: 330af70c826f5bcb784a75e53c6e0425b234f9dc40d1014aafd33741a77e7a7a
Opcode Fuzzy Hash: fe3427a69e9741bfd1924c3f03f7910697b5cefa3730ee8ebeed695f12157ead
Instruction Fuzzy Hash: 4D11B7B284D2046FD300DF15EC41CA7BBE8DF95525F09C47FED498B201E276A9188BE2

Function 015A0B8F Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3704821347.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d45b3218572d54856072f09f21aacb6300c64507a5576d0d919ce58d2fa6533
Instruction ID: 8c3882818de1748662593df73c90e8ba8695babe74c90b5015cafa1e463d484c
Opcode Fuzzy Hash: 3d45b3218572d54856072f09f21aacb6300c64507a5576d0d919ce58d2fa6533
Instruction Fuzzy Hash: B911D635A101185FCB148BF5D9589DE7BF6FF88214B044579E505D7370DF319D1A8790

Function 015A0BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3704821347.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bea04b3e3bd63ec932b0772713cbb69839812f64e9603c600d14a547dc62df4
Instruction ID: 6bcc348ea1c00f7a32d3bc52ed26b881f9b3fbfc94272c0b204906ded045d978
Opcode Fuzzy Hash: 1bea04b3e3bd63ec932b0772713cbb69839812f64e9603c600d14a547dc62df4
Instruction Fuzzy Hash: 43119135A10118AFCB049BF5D95C9DE7BFAFF88214B054475E605EB760EF31AD0A8790

Function 014A05E0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3704725580.00000000014A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14a0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bdd585820bdd7ffe2d59a2159d9b8ab9ad0a415095f95c1054a6082cf7d2078
Instruction ID: 5a07b7420056891d42c89209fcc460db10bfcf32f4dc6f1e2282f157695fd04a
Opcode Fuzzy Hash: 7bdd585820bdd7ffe2d59a2159d9b8ab9ad0a415095f95c1054a6082cf7d2078
Instruction Fuzzy Hash: BD01FE7150D3C05FC7128B16DC44862BFA8DF5712074984DFE885CB653D1696909C762

Function 014A082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3704725580.00000000014A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14a0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472c03c7a0eb9ef26c6a3f1fb2f01648e9f3235c0b316b16a0063b734eb7b01c
Instruction ID: 7ed83d4c83f62980d2258d941bee5ae21d61383eaef72d41cc19fc22037adbb0
Opcode Fuzzy Hash: 472c03c7a0eb9ef26c6a3f1fb2f01648e9f3235c0b316b16a0063b734eb7b01c
Instruction Fuzzy Hash: 48F082B28492046F9240DF05ED85856F7ECDF84521F04C57EED088B700E276AA154AE2

Function 014A0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3704725580.00000000014A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14a0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a2f8dceb07b878bd2a7dc7f9df57016b79bcdab60de88c239457d2b000e99d
Instruction ID: 1e17f992dd189be1e161d513aecb951371f7edc41a466bdd37057dafaf5c1482
Opcode Fuzzy Hash: b9a2f8dceb07b878bd2a7dc7f9df57016b79bcdab60de88c239457d2b000e99d
Instruction Fuzzy Hash: 8BE092B6A456004B9650CF0BFC41452F7D8EB88630718C07FDC0D8B701E675B504CAA5

Function 015A0C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3704821347.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94fbded5da317e0f6296949fd6e431d1bcb7173729694c0adfe72914f12237a5
Instruction ID: 1642742517fc7ca36036e93b8e71cf4dc9ba169a3e4532d797f22e458428e7e0
Opcode Fuzzy Hash: 94fbded5da317e0f6296949fd6e431d1bcb7173729694c0adfe72914f12237a5
Instruction Fuzzy Hash: 52E0DF31F152241FCB44DFFA98481DEBFF5EB95260B5885BAC408EB751EB3488068780

Function 015A0C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3704821347.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c40b00e9bb59a19cdf97699263850c70f55b2e9688830e4d0e95ab070bb6c60
Instruction ID: 373bcac830d1760d2077867cc772fc769c6f3e99cfa13ac08b399719776ed1fa
Opcode Fuzzy Hash: 4c40b00e9bb59a19cdf97699263850c70f55b2e9688830e4d0e95ab070bb6c60
Instruction Fuzzy Hash: 01D01231F052281B8B54EBFA59485DF7AEA9B84164B588479910DE7740EE3198058780

Function 015A0E08 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3704821347.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5311feffb7647fc37ebc30c0a46b2335bbc7b5abf95c2be0afd0b5438f573fa4
Instruction ID: 62e49f7c6d9f5fddc6206aaa7ea6428e8c5599da384ee154b762bef6664abef0
Opcode Fuzzy Hash: 5311feffb7647fc37ebc30c0a46b2335bbc7b5abf95c2be0afd0b5438f573fa4
Instruction Fuzzy Hash: 7AE0C2352903108FC7059768E5595D83BA0EF92220B85C1A6D8448F2A2CB3CCC4BCB00

Function 015A0DD1 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3704821347.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6218453dc6f55a78ab4bd7f709000fd5cf30c7bed99df1cffed470f0ff4e1b43
Instruction ID: fd13de1e3cda414ec8a94da2c671cec8bdbc09ec8f4b0c56d204273c26656509
Opcode Fuzzy Hash: 6218453dc6f55a78ab4bd7f709000fd5cf30c7bed99df1cffed470f0ff4e1b43
Instruction Fuzzy Hash: 44E0CD301C03044FC7058B74D5645DD3BA1FB91214F4582A5C8458F1A1C73C9C45DB40

Function 014223F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3704310347.0000000001422000.00000040.00000800.00020000.00000000.sdmp, Offset: 01422000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1422000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffae9d62bc2f8e3db89cbed97a147e5f00411e2a7b982d724f960ca184fd132f
Instruction ID: 6a10a45c5a251eb7de044ba72cd8958aa595f5152ab19dab4110c4e15802d4b1
Opcode Fuzzy Hash: ffae9d62bc2f8e3db89cbed97a147e5f00411e2a7b982d724f960ca184fd132f
Instruction Fuzzy Hash: 1ED05E79205AE14FE316DA1CC1A4F963BE8AB51714F8A44FAEC008B777C7A8D5C1D610

Function 014223BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3704310347.0000000001422000.00000040.00000800.00020000.00000000.sdmp, Offset: 01422000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1422000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7905fca156cdb50d7baa8438d6ac3112182f3e82d6de16e888c456863873c8
Instruction ID: ed9a775c78c3aaf4beb515d09d3e9e259d35e4840185e7a990eddb8438b58f0e
Opcode Fuzzy Hash: 5e7905fca156cdb50d7baa8438d6ac3112182f3e82d6de16e888c456863873c8
Instruction Fuzzy Hash: A6D05E342002814BD719DA1CC2D4F5A37D4AF40714F0644E9AC10CB376C7F4D9C0CA00

Function 015A0E18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3704821347.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac99fa32bc22ce69b4cd8d0b5b9f2b19c2de36087fdac6bdd3b32f76ed9ffd4
Instruction ID: 8c2047bc7022c9623818d1706eb6d09e911f8c1f415e8b6a18ac135d55e439d8
Opcode Fuzzy Hash: aac99fa32bc22ce69b4cd8d0b5b9f2b19c2de36087fdac6bdd3b32f76ed9ffd4
Instruction Fuzzy Hash: 98C012342502088FC70497A9E61CA2D779967D5204FC4C06555080F391CB74EC40C740

Function 015A0DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3704821347.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ee7e15e2be29eea741aa9ca0147dbb0822761432f4a0417f80a80098890dca
Instruction ID: d2559ca8fecb2aa20e86e937dd8115c24687ee90226d4dbf4e53a72d5fd03a3d
Opcode Fuzzy Hash: 63ee7e15e2be29eea741aa9ca0147dbb0822761432f4a0417f80a80098890dca
Instruction Fuzzy Hash: 32C012302902088FD7049BA9E51CA2E779A67D0204F85C06495090F391CB74EC80D680

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ATT00004.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: unarchiver.exePID: 5500, Parent PID: 4056

General

Chronological Activities

Analysis Process: 7za.exePID: 6900, Parent PID: 5500

General

Chronological Activities

Analysis Process: conhost.exePID: 3364, Parent PID: 6900

General

Chronological Activities

Disassembly

Analysis Process: unarchiver.exePID: 5500, Parent PID: 4056COMMON

Execution Graph

Graph

Windows Analysis Report
ATT00004.zip

Function 015A0C99 Relevance: 3.8, Strings: 3, Instructions: 86
COMMON

Function 015A0CA8 Relevance: 3.8, Strings: 3, Instructions: 82
COMMON

Function 0142A120 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82
fileCOMMON

Function 015A0799 Relevance: 2.8, Strings: 2, Instructions: 284
COMMON

Function 0142A676 Relevance: 1.6, APIs: 1, Instructions: 101
fileCOMMON

Function 0142B2F6 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 0142ADB4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0142AC26 Relevance: 1.6, APIs: 1, Instructions: 94
pipeCOMMON

Function 0142ADDA Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0142A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Function 0142B326 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0142A900 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Function 0142A9E3 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Function 0142A6AE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 0142A83F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON