Edit tour

Windows Analysis Report
MDE_File_Sample_5c36f343639864ca048d9aff98fc24b2e8bfbb7c.zip

Overview

General Information

Sample name:	MDE_File_Sample_5c36f343639864ca048d9aff98fc24b2e8bfbb7c.zip
Analysis ID:	1649424
MD5:	9d1ae6e0b5e72ce5ad65e6faabdc766c
SHA1:	68a22d7059b564269abdbd0ed407ed7df281a90f
SHA256:	9e164af30d689105a7e2771bbd8008d787b2c574c5235118f071c5657e4c9ae9
Infos:

Detection

Score:	2
Range:	0 - 100
Confidence:	60%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Classification

Process Tree

System is w10x64

unarchiver.exe (PID: 8632 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\MDE_File_Sample_5c36f343639864ca048d9aff98fc24b2e8bfbb7c.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 8656 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\k5ttgjw3.uqz" "C:\Users\user\Desktop\MDE_File_Sample_5c36f343639864ca048d9aff98fc24b2e8bfbb7c.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 8664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

• Compliance
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: classification engine

Classification label: clean2.winZIP@4/1@0/0

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8664:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\MDE_File_Sample_5c36f343639864ca048d9aff98fc24b2e8bfbb7c.zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\k5ttgjw3.uqz" "C:\Users\user\Desktop\MDE_File_Sample_5c36f343639864ca048d9aff98fc24b2e8bfbb7c.zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\k5ttgjw3.uqz" "C:\Users\user\Desktop\MDE_File_Sample_5c36f343639864ca048d9aff98fc24b2e8bfbb7c.zip"	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: MDE_File_Sample_5c36f343639864ca048d9aff98fc24b2e8bfbb7c.zip

Static file information: File size 26991851 > 1048576

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 1160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 1220000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 3914			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 6055			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 8716	Thread sleep count: 3914 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 8716	Thread sleep time: -1957000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 8716	Thread sleep count: 6055 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 8716	Thread sleep time: -3027500s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_00E0B1D6 GetSystemInfo,

0_2_00E0B1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\k5ttgjw3.uqz" "C:\Users\user\Desktop\MDE_File_Sample_5c36f343639864ca048d9aff98fc24b2e8bfbb7c.zip"

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	2 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1649424
Start date and time:	2025-03-26 19:16:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MDE_File_Sample_5c36f343639864ca048d9aff98fc24b2e8bfbb7c.zip
Detection:	CLEAN
Classification:	clean2.winZIP@4/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 47 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .zip Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 20.75.60.91, 150.171.27.10, 23.44.203.181
Excluded domains from analysis (whitelisted): www.bing.com, slscr.update.microsoft.com, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:18:29	API Interceptor	4310466x Sleep call for process: unarchiver.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Download File

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3438
Entropy (8bit):	5.093907268339771
Encrypted:	false
SSDEEP:	48:XlEbAaGGbuGuGpcGkGuGp3fGboGCfGWG4GuGuGmlGuG3GuGmD5L1yTb/LwqLLwGr:Xl/eUWI/WbMMPx5D
MD5:	93BE5FDC2928706E4369ABA98FB83386
SHA1:	4102DFFB67A7F221A644CEC8E4247952F7172481
SHA-256:	FE38860D894E34C88EFC23B9F7ED3BF9FAA5799283F431C252C0249C6ED3F73B
SHA-512:	9341532BF462365C1A105A3E4F8B7F5C403EEB6997B946A3F420F370422EA568250445B8A205F6EDC3494F4BF3A052587D282F52EA0BED2FEFE48A12D9822E40
Malicious:	false
Reputation:	low
Preview:	03/26/2025 2:17 PM: Unpack: C:\Users\user\Desktop\MDE_File_Sample_5c36f343639864ca048d9aff98fc24b2e8bfbb7c.zip..03/26/2025 2:17 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\k5ttgjw3.uqz..03/26/2025 2:17 PM: Received from standard error: ERROR: Wrong password : asc-setup.exe..03/26/2025 2:17 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..03/26/2025 2:17 PM: Received from standard out: ..03/26/2025 2:17 PM: Received from standard out: Scanning the drive for archives:..03/26/2025 2:17 PM: Received from standard out: 1 file, 26991851 bytes (26 MiB)..03/26/2025 2:17 PM: Received from standard out: ..03/26/2025 2:17 PM: Received from standard out: Extracting archive: C:\Users\user\Desktop\MDE_File_Sample_5c36f343639864ca048d9aff98fc24b2e8bfbb7c.zip..03/26/2025 2:17 PM: Received from standard out: --..03/26/2025 2:17 PM: Received from standard out: Path = C:\Users\user\Desktop\MDE_File_Sample_5c36f343639864ca048d9aff98fc24b2e8bfb

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.999993609708672
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	MDE_File_Sample_5c36f343639864ca048d9aff98fc24b2e8bfbb7c.zip
File size:	26'991'851 bytes
MD5:	9d1ae6e0b5e72ce5ad65e6faabdc766c
SHA1:	68a22d7059b564269abdbd0ed407ed7df281a90f
SHA256:	9e164af30d689105a7e2771bbd8008d787b2c574c5235118f071c5657e4c9ae9
SHA512:	b57a362d8411adb6c61546c17219ec15aab096b97377c58d2984e4d8b1c435349bb1cf3dd03f22bd308164a5571449b197546471fb083b01ba362fcc7e9dc15a
SSDEEP:	786432:i/zNTiHQlJ1AZLAaJhsWc04BgkEhC23QC:khOQlHAZkDWlKXWVN
TLSH:	2A473380A1D12E0FC938B0C5EC76FFCE05CD95AAAF4F142C112156B2A7F6A5C562B1F6
File Content Preview:	PK..........zZ+.8.'.........$.asc-setup.exe.. .............z.......z.......z......F..,....a3.Hqo.......T."C.........\.... .O....1...P.h.....f.....=....u.d...E...B.......D&...$.........%.. .`.N..i'.+...=.......;3n}8Q\|...j`..<..V.(..?*fT...Mz#..J......4+...

File Icon


Icon Hash:	90cececece8e8eb0

Network Behavior

Download Network PCAP: filtered – full

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 26, 2025 19:18:33.500442028 CET	53	51203	162.159.36.2	192.168.2.5

Statistics

CPU Usage

• unarchiver.exe
• 7za.exe
• conhost.exe

Click to jump to process

Memory Usage

• unarchiver.exe
• 7za.exe
• conhost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

System Behavior

Analysis Process: unarchiver.exePID: 8632, Parent PID: 3084

Function Logs

General

Target ID:	0
Start time:	14:17:56
Start date:	26/03/2025
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\MDE_File_Sample_5c36f343639864ca048d9aff98fc24b2e8bfbb7c.zip"
Imagebase:	0x820000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Value Enumerated

Key Enumerated

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Created

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Chronological Activities

Analysis Process: 7za.exePID: 8656, Parent PID: 8632

Function Logs

General

Target ID:	1
Start time:	14:17:56
Start date:	26/03/2025
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\k5ttgjw3.uqz" "C:\Users\user\Desktop\MDE_File_Sample_5c36f343639864ca048d9aff98fc24b2e8bfbb7c.zip"
Imagebase:	0x150000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Created

File Read

File Attributes Queried

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Process Token Activities

Token Adjusted

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 8664, Parent PID: 8656

Function Logs

General

Target ID:	2
Start time:	14:17:56
Start date:	26/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7e2000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

File Attributes Queried

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: unarchiver.exePID: 8632, Parent PID: 3084COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	20.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.3%
Total number of Nodes:	76
Total number of Limit Nodes:	4

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00E0B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 00E0B208

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 532036e26af16a20f5169d88fc88f22491cfdd822ff15f92222faa5c270e4e45
Instruction ID: f9a4298f7827380299cb44241bcc2acc4286b233a3ddf686230f5c82dc677df0
Opcode Fuzzy Hash: 532036e26af16a20f5169d88fc88f22491cfdd822ff15f92222faa5c270e4e45
Instruction Fuzzy Hash: D301F2309002409FDB10CF15E98976AFBE4EF01720F08C4AADD489F392D375A448CBA2

Function 00E0B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00E0B2F3

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 709d004ccb46a16b82f07ae7273be0d499c8ca99179b85e204ffed4b12d8d145
Instruction ID: a9b49f7e35d946f55c89a05e576c6749ac8e99586b626f52cc403816d0377d70
Opcode Fuzzy Hash: 709d004ccb46a16b82f07ae7273be0d499c8ca99179b85e204ffed4b12d8d145
Instruction Fuzzy Hash: 9C31C671504384AFEB228B61DC44FABBFFCEF06314F04849AE985CB552D364A909CB71

Function 00E0AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00E0ADA7

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c4b9b47915946f56666a49593a31299ffa1125d2de76b165b57445665d675b64
Instruction ID: 662128966fee4f1f097ae41d638ada452c862b71bfe1fcdff27e5a0ff99cb0ce
Opcode Fuzzy Hash: c4b9b47915946f56666a49593a31299ffa1125d2de76b165b57445665d675b64
Instruction Fuzzy Hash: 2931B371504384AFEB228B65DC44FABBFBCEF05314F08889AF985DB552D364A849CB71

Function 00E0AB76 Relevance: 1.6, APIs: 1, Instructions: 94
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00E0AC36

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 2e4d49fd9aee66fc5939c7ba453ddf09388d9999624474d7c082abd7cc765a5d
Instruction ID: 8f04e206d211f9163d930ceab7f27260d821a4ebf78f1a58bdd1990e868926b5
Opcode Fuzzy Hash: 2e4d49fd9aee66fc5939c7ba453ddf09388d9999624474d7c082abd7cc765a5d
Instruction Fuzzy Hash: D131907250E3C05FD3138B718CA5A95BFB4AF47610F1A84CBD8C4CF5A3D2686809C7A2

Function 00E0A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00E0A67D

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6b5eb3de8ea84ba13ce49b914924cad01e226389073c1d26d1072f0792827512
Instruction ID: e5a372f8c65d3b8007c2b78f82471c8f433e3a90fd46b6276ac536445c6bff6e
Opcode Fuzzy Hash: 6b5eb3de8ea84ba13ce49b914924cad01e226389073c1d26d1072f0792827512
Instruction Fuzzy Hash: 17319071504384AFE721CB25DC44F66BBF8EF05214F0888AEE9898B692D365E808CB71

Function 00E0A120 Relevance: 1.6, APIs: 1, Instructions: 83
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00E0A1C2

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: e8b93b133d564a4366b6686c1aa9716a6115253f270f021516add274e6e43fb3
Instruction ID: ab847663a5ce2db7c45702ec6fbbf8c9ba91b5d2c5c1bcc8a08550a765c52099
Opcode Fuzzy Hash: e8b93b133d564a4366b6686c1aa9716a6115253f270f021516add274e6e43fb3
Instruction Fuzzy Hash: EA21E57150D3C06FD3128B258C51BA6BFB4EF87610F1984CBD8C4CF693D225A919C7A2

Function 00E0A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,02601EFB,00000000,00000000,00000000,00000000), ref: 00E0A40C

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 790e7fd19523512fc40be2866231ed745d9a78a19d391f51e096688f2e1382f0
Instruction ID: 7451d56294636426cb75796f66ef0e20a0b3cb282c3a741c564478b8c39daa27
Opcode Fuzzy Hash: 790e7fd19523512fc40be2866231ed745d9a78a19d391f51e096688f2e1382f0
Instruction Fuzzy Hash: FD217C75604744AFD721CB11DC84FA7BBFCEF05714F08849AE9859B292D364E948CB62

Function 00E0B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00E0B2F3

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 42cbe056bca2e75a2021132926d8f2840b951c3fd363426dbc2bd8303ccc75d4
Instruction ID: e9b792c107d105b081277d3e1c64a4e8745f1ffa56b03185f6cd1c8f635410a9
Opcode Fuzzy Hash: 42cbe056bca2e75a2021132926d8f2840b951c3fd363426dbc2bd8303ccc75d4
Instruction Fuzzy Hash: 4921C172500204AFEB21DF65DC44FABBBECFF04314F04886AE985DBA51D774E5488BA1

Function 00E0AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00E0ADA7

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e5b0a72938fac02b3e52f0aa6fc9539d1ecf2ccb7a1a930a1486aac7f459facd
Instruction ID: 32adceab620f03bc807f5a5c32647239e8be4cad97063333cbeb4983f1cb69d0
Opcode Fuzzy Hash: e5b0a72938fac02b3e52f0aa6fc9539d1ecf2ccb7a1a930a1486aac7f459facd
Instruction Fuzzy Hash: C221B272500348AFEB218F55DC44FABBBACEF04318F04886AE9459AA51D770E4488BA1

Function 00E0A50F Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNELBASE(?,00000E24,?,?), ref: 00E0A5B6

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: 07991f64a920de0695ec7c82353886614951dca7787905175e96fa25dce2f13c
Instruction ID: ae61f17d08687f7ca2500535dec651e4f951f817842edaf1a3bd7cc7c288a643
Opcode Fuzzy Hash: 07991f64a920de0695ec7c82353886614951dca7787905175e96fa25dce2f13c
Instruction Fuzzy Hash: F021A3B154D3C06FD3138B25CC51B62BFB8EF87614F0A81DBE8888B593D6646919C7B2

Function 00E0A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,02601EFB,00000000,00000000,00000000,00000000), ref: 00E0A8DE

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 92a545411e4b1d51eb11a7cb1a59962be27ab2ac6b7a71e7f302f29d826ab3fe
Instruction ID: da7608d95baf18c1c131a133e4f88c1afd8db005f60e3173cbc683d9ded0b34c
Opcode Fuzzy Hash: 92a545411e4b1d51eb11a7cb1a59962be27ab2ac6b7a71e7f302f29d826ab3fe
Instruction Fuzzy Hash: 2721D6715093806FE722CB14DC44FA6BFB8EF46714F0984DAE9848F592C264A909C776

Function 00E0A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,02601EFB,00000000,00000000,00000000,00000000), ref: 00E0A9C1

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4ad43d1c396086df36662dcea0efaade0940bc1d31866bfc2af316154aa33074
Instruction ID: 7431029a19969f0a7f85056338e1849e6a5f406fa9ce29797ebeb31ca035921d
Opcode Fuzzy Hash: 4ad43d1c396086df36662dcea0efaade0940bc1d31866bfc2af316154aa33074
Instruction Fuzzy Hash: 8021A171509380AFDB22CF65DC44F96BFB8EF06314F0884DAE9859B192C365A448CBB6

Function 00E0A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00E0A67D

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 67799cc20bc66a161c71ca7934772d217437423796090e1759df17e018b164a8
Instruction ID: e6e1d346f53e37ac274776df9094701d302e347ded795d3b2f4d8b1d6b19e1f2
Opcode Fuzzy Hash: 67799cc20bc66a161c71ca7934772d217437423796090e1759df17e018b164a8
Instruction Fuzzy Hash: E8219171600344AFE720CF25DD45B66FBF8EF04314F088469E9499B691D372E848CB72

Function 00E0A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,02601EFB,00000000,00000000,00000000,00000000), ref: 00E0A815

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: dd11679e8a1f4ca46cb9a114ce2eda8695cbcea7ab901051945646ae39e2bf34
Instruction ID: 24e7c87592314c1a1f763b4127e08509861263c3479c5945029044554ff89d93
Opcode Fuzzy Hash: dd11679e8a1f4ca46cb9a114ce2eda8695cbcea7ab901051945646ae39e2bf34
Instruction Fuzzy Hash: D421D5B55093846FE7128B11DC44BE6BFB8EF47714F0880DAE9858B293D264A909C776

Function 00E0AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00E0AA8B

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 09e9e90be02bac2d08b4c94245062dc25248a9f188933f8bcd178b8c8bdfd9b4
Instruction ID: 3c68cdce172b945ea63e7854f7381be4802e9fc6060ba8e3abd828a2ee9e0c9f
Opcode Fuzzy Hash: 09e9e90be02bac2d08b4c94245062dc25248a9f188933f8bcd178b8c8bdfd9b4
Instruction Fuzzy Hash: 5A21B3716093C45FDB12CB29DC95B96BFE8AF06314F0D84EAE884CB193D224D949CB61

Function 00E0A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,02601EFB,00000000,00000000,00000000,00000000), ref: 00E0A40C

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6cecff0331b19cce607a31cad42106dd5d30e72590e634df6ace11638105b4c1
Instruction ID: bf3997e63d7f60e2fd72d5fdd0cd83ff8041ba4c41021d9667df4187e8c38058
Opcode Fuzzy Hash: 6cecff0331b19cce607a31cad42106dd5d30e72590e634df6ace11638105b4c1
Instruction Fuzzy Hash: CD219075600708AFE720CF15DC84FA7F7ECEF04714F08846AE9459B691D7A4E989CAB2

Function 00E0A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,02601EFB,00000000,00000000,00000000,00000000), ref: 00E0A9C1

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1c971b35afc5d8d9adcbe1d04f01f99e0e4a2cff128bcb75ef626e1d34c04132
Instruction ID: 8cc2f03201a6f32a73380d30e1ba0cd430c90e801b2c7fb40a83bdef2c5b00c6
Opcode Fuzzy Hash: 1c971b35afc5d8d9adcbe1d04f01f99e0e4a2cff128bcb75ef626e1d34c04132
Instruction Fuzzy Hash: 25110871600344AFEB21CF55DC44FAAFBE8EF44714F08846AE9459B681C374A448CBB2

Function 00E0A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,02601EFB,00000000,00000000,00000000,00000000), ref: 00E0A8DE

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 8435da63251cb42843251acc6080c3d23103de85d98d679fda0472070223f15f
Instruction ID: f920b6583147afac37087d7b8aed89d9e9248cfc593224d4a4dba1de057029b9
Opcode Fuzzy Hash: 8435da63251cb42843251acc6080c3d23103de85d98d679fda0472070223f15f
Instruction Fuzzy Hash: 7D11E771600304AFEB21CF54DC44BAAFBE8EF44724F18C46AED499B681C374A5488BB6

Function 00E0A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00E0A30C

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 138935b83f9978a40b578843daa6b873baf71032eb2d3df725d84131c11e8bec
Instruction ID: c6654640103e1fea446b5c0ffca98ca8490291faf2693f0576e0b2beda3d60d3
Opcode Fuzzy Hash: 138935b83f9978a40b578843daa6b873baf71032eb2d3df725d84131c11e8bec
Instruction Fuzzy Hash: 2511C1714093C09FDB228B21DC94A56BFB4DF07320F0D80DBDD848F1A3D265A848CB62

Function 00E0A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,02601EFB,00000000,00000000,00000000,00000000), ref: 00E0A815

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: cbd3d3687fd8adceb483f60f8f5fd688816845f93bda0f59bd35d8ea37bf8a1e
Instruction ID: 8dea57ea9e771dc653ef476385a64ef127521586c8639633a7ff49975f369fb5
Opcode Fuzzy Hash: cbd3d3687fd8adceb483f60f8f5fd688816845f93bda0f59bd35d8ea37bf8a1e
Instruction Fuzzy Hash: 3901DB71604344AEE720CB15DC45BE6F7E8DF04724F18C0AAED455B781D374A94D8AB6

Function 00E0AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00E0AA8B

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 37cf0be4ca36688a1f00c0f5dc11411ce49b3faa5a9b7f4d237997af1f4333b2
Instruction ID: 111b37f250b2277208240e2122357beb0b789e7b6c26d8c6d90105306d716dcc
Opcode Fuzzy Hash: 37cf0be4ca36688a1f00c0f5dc11411ce49b3faa5a9b7f4d237997af1f4333b2
Instruction Fuzzy Hash: 101170717002449FEB10CF19D985766BBE8AB04714F0CC4AADD49DB681E274D848CA62

Function 00E0B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 00E0B208

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: a699f3c4b4ce5ff8836b252f78b40e5483171646cc4b254e6beaa507f010d1f7
Instruction ID: 8e52f8715214a51ae9499160149d5f601c2d814ea8d7ca4e1acad8aa73f25840
Opcode Fuzzy Hash: a699f3c4b4ce5ff8836b252f78b40e5483171646cc4b254e6beaa507f010d1f7
Instruction Fuzzy Hash: FA11A0714093809FDB12CF15DC84B56BFB4EF06220F0884DAED848F292D275A848CB62

Function 00E0AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00E0AFE4

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 85e969e45f9e4d7aaf8dbdfb9fd2bc864bb04ded616cb41419b0d3e6295a5679
Instruction ID: 1acf10e5c39fd27132b16af143340c62434ee8f2a88b9ccca4e4f2a808fd6d05
Opcode Fuzzy Hash: 85e969e45f9e4d7aaf8dbdfb9fd2bc864bb04ded616cb41419b0d3e6295a5679
Instruction Fuzzy Hash: 2B11A0715093C09FDB128B25DC85B52BFF4EF06320F0984DAED858B2A2D364A848DB62

Function 00E0ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00E0AC36

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 4ae494f7a7a27667233bbbc75afdd5c2f3b2b851ff5d38c9bf2a4a52f02e6d4b
Instruction ID: fb8d72d8f9ad5bfc2bf008b958ca51adfc556462fd35b98829cfae3b77f338ac
Opcode Fuzzy Hash: 4ae494f7a7a27667233bbbc75afdd5c2f3b2b851ff5d38c9bf2a4a52f02e6d4b
Instruction Fuzzy Hash: C001B171640200ABD310DF16DC86B6AFBE8FB88B20F14815AEC089BB41D771F915CBE5

Function 00E0A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00E0A1C2

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 15aa46c5425362b848dab74bb3e3a5349591cc40ae0e30c91db52c2f3713e77e
Instruction ID: 22995e6001802178574f4d398208c3d37ebf6bf335179f5a182df96848387a37
Opcode Fuzzy Hash: 15aa46c5425362b848dab74bb3e3a5349591cc40ae0e30c91db52c2f3713e77e
Instruction Fuzzy Hash: 3E01B171640200ABD310DF16DC86B6AFBE8FB88B20F14815AEC089BB41D771F915CBE5

Function 00E0A566 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetTempPathW.KERNELBASE(?,00000E24,?,?), ref: 00E0A5B6

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: da1f6a7cd9f9d03b77309f136f704615786dc7240c51c67688d8ea1ad5e089b6
Instruction ID: 50278ca6bbfe2339a6bad894a72c5956e16d1f9cf6fd5106aabf6f8b09593d58
Opcode Fuzzy Hash: da1f6a7cd9f9d03b77309f136f704615786dc7240c51c67688d8ea1ad5e089b6
Instruction Fuzzy Hash: BF01AD71640600ABD210DF16DC86B66FBF8FB88A20F14815AEC089BB81D771F915CBE6

Function 00E0AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00E0AFE4

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: b95ff78803889d6a2e5ea2ca9ced984663a1109cd625163e27d83d30906bd2cb
Instruction ID: 986c8ee4c4f70231bf4fdcd34a91822eb6ce58b5cdbee8edb5522ac8e2d4cd94
Opcode Fuzzy Hash: b95ff78803889d6a2e5ea2ca9ced984663a1109cd625163e27d83d30906bd2cb
Instruction Fuzzy Hash: 6B0121716003048FEB108F15D8847A2FBE4EF00320F08C0AADD499B792D375E888DEA2

Function 00E0A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00E0A30C

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a94855dadf8dc27f63e270d613380194d3cf3636d2f56d235110ceb94e1b695b
Instruction ID: 393c19a7660b494226d9f5f2f61febe97834fc9922b0c1843802358a5c693832
Opcode Fuzzy Hash: a94855dadf8dc27f63e270d613380194d3cf3636d2f56d235110ceb94e1b695b
Instruction Fuzzy Hash: 25F081355043489FDB208F05D985766FBA4DF05724F08C0AADD495B792D3B9A498CAA2

Function 01200799 Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

\O#l, xrefs: 01200966

Memory Dump Source

Source File: 00000000.00000002.3810683597.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_unarchiver.jbxd

Similarity

API ID:
String ID: \O#l
API String ID: 0-569704425
Opcode ID: b47ae1281e8ebdca0563da92267986513d7f95d2ee1be41374d02fdaf7f3ccde
Instruction ID: fbdd2f73c0f815d9e54b2202e9bc868bbcd056e3662c810533a98348271adc64
Opcode Fuzzy Hash: b47ae1281e8ebdca0563da92267986513d7f95d2ee1be41374d02fdaf7f3ccde
Instruction Fuzzy Hash: 36A1C330B102118BEB1AAB75C5547BEB7F2BF84348F108528DA16977D9EF748C86CB51

Function 00E0A6D4 Relevance: 1.3, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00E0A748

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ee2f73682bb184d9fd2383a7f9abf21766754ce139538e331147a4d476dc4983
Instruction ID: 0db53a0037d0fde099bb4738a7dc2f74274b225dbcdc63ae617111a3d47e16a5
Opcode Fuzzy Hash: ee2f73682bb184d9fd2383a7f9abf21766754ce139538e331147a4d476dc4983
Instruction Fuzzy Hash: 2921C27550A3C09FDB128B25DC95752BFB8AF07320F0D84EBDC858F6A3D2649908C762

Function 00E0A716 Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00E0A748

Memory Dump Source

Source File: 00000000.00000002.3810342899.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0a000_unarchiver.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ceda3834709cf671391ba1aeafcb0f6047a0774dcc58d077dbaa94c3575c921b
Instruction ID: fe04f5c0fc9cb5f0a1cfb9900f2e543f883c54277fafbf04fd7b995497e430e5
Opcode Fuzzy Hash: ceda3834709cf671391ba1aeafcb0f6047a0774dcc58d077dbaa94c3575c921b
Instruction Fuzzy Hash: EB01DF71A003448FEB10CF15D9857A6FBE4EF00320F0CC4ABDD499B682D275E888CAA2

Function 012002C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3810683597.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e18d77d7d0f4d49b9880b9987dc9c99314b8b98f221f714d93d45d98036b67
Instruction ID: 61f9af09b61b9ff047df8922e4037711b24bb320d36dfd249f2f73eb3c9d7e63
Opcode Fuzzy Hash: 05e18d77d7d0f4d49b9880b9987dc9c99314b8b98f221f714d93d45d98036b67
Instruction Fuzzy Hash: 84B15E34A10120CFD71AEB66E958B5F7BF2FF89250B108624EB169739DEB309C41CB94

Function 01200C99 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3810683597.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 551c282fb6c632c09975cf2ce871d7c11eb9237072b23efbf609da4dcc8b289f
Instruction ID: 6ea2db9b1443d9a9efb15628126f6c60c0d1c991fa6db6f456d6f41dba615e4e
Opcode Fuzzy Hash: 551c282fb6c632c09975cf2ce871d7c11eb9237072b23efbf609da4dcc8b289f
Instruction Fuzzy Hash: 1C213A30B003448FC756EB39C4017AEBBE69F86248F48853CD585DB781EF799D0287A2

Function 01200CA8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3810683597.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96de19b4940386aec39236a345692535310ca4e51a0ac72421a19adeadf07073
Instruction ID: ff3f9a4ae2eea2de179fbf24754ee42bb2ca3386d1854abd7c51bd025e9b03ba
Opcode Fuzzy Hash: 96de19b4940386aec39236a345692535310ca4e51a0ac72421a19adeadf07073
Instruction Fuzzy Hash: F72127347007148BCB15EB3AC5417AFB7E69FC5248B44893CD186EB781DF79E90687A2

Function 01200BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3810683597.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795d25cfa15a5f52bb9d46c58b3730d069e4439574aaf7868a1fee433335791c
Instruction ID: 80eeacaebe50fd0e991a9a21aaee413ba3955b337a0768221c73481904909745
Opcode Fuzzy Hash: 795d25cfa15a5f52bb9d46c58b3730d069e4439574aaf7868a1fee433335791c
Instruction Fuzzy Hash: 4D11A032A10118AFCF05ABB4D844ADF7BF6BF88214B054575E605E7764EF31A81A8B90

Function 0117080C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3810633330.0000000001170000.00000040.00000020.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1170000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb228faea672a4372d1b4a02556bb0783fe29678e9127dae39f2ac709cbb67f
Instruction ID: 7bca185ff5acd9000de7b9f082e55dabdbf91ad826d24b88a0c8287993dae3af
Opcode Fuzzy Hash: 1eb228faea672a4372d1b4a02556bb0783fe29678e9127dae39f2ac709cbb67f
Instruction Fuzzy Hash: 870184B6409780AFD301DB55EC41C57BBF8DF86524B09C8AAEC488B602D265B9188BB2

Function 011705E2 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3810633330.0000000001170000.00000040.00000020.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1170000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939da8005574926f4826de0f75a412229ebbeb64dd659cb320ab1dc8dafc874a
Instruction ID: a2e0dd333b5ddd01eaaa2ab4428433d837dcb764239771b847a42b3ed5b07f39
Opcode Fuzzy Hash: 939da8005574926f4826de0f75a412229ebbeb64dd659cb320ab1dc8dafc874a
Instruction Fuzzy Hash: 26F0A9B65093805FD7528B15AC40863FFB8EB86620749C4DFEC8987752D265B908C7B2

Function 0117082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3810633330.0000000001170000.00000040.00000020.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1170000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58b4cde3b1bff3a53b26cbe68a569a20798e13bc5ae72b29f3b3c77d239f807
Instruction ID: 717164dab453351ba6943a000c52c33588d5a16829b654958ba23b497b7469b5
Opcode Fuzzy Hash: e58b4cde3b1bff3a53b26cbe68a569a20798e13bc5ae72b29f3b3c77d239f807
Instruction Fuzzy Hash: 2DF082B2945204ABD200DF45ED4589AF7ECDF85521F04C96EEC488B700E276B9194AE2

Function 01200C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3810683597.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccbd8a975cca1dba828087c073407360c7e0cdc9495429e3786738264fe78ed
Instruction ID: 510f33699278a886c5e89b500f0c6c2add096aca04ea3143fadd8a4daad47341
Opcode Fuzzy Hash: 4ccbd8a975cca1dba828087c073407360c7e0cdc9495429e3786738264fe78ed
Instruction Fuzzy Hash: 14E0DF31F142141FCB88DABC8C102EEBFF5EB86164B9844BAD108D7740EA318C068780

Function 01170606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3810633330.0000000001170000.00000040.00000020.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1170000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e8abe9b588f1dea05dcd5ebb795752bdfd86ba0066471cd3b871a751e98f86
Instruction ID: 9590d22a8955ecd5a35d2e7c82111bfb17db0ac40b0db18b09622f37fc6284c0
Opcode Fuzzy Hash: 13e8abe9b588f1dea05dcd5ebb795752bdfd86ba0066471cd3b871a751e98f86
Instruction Fuzzy Hash: 4FE092B66446044BD650CF0AFC81452F7E8EB84630708C47FDC0D8BB11D675B508CAA5

Function 01200C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3810683597.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822180ed3cc3b1194037bd32ec6572cb2004722a34a9e053ec8c3012038f3623
Instruction ID: 009515d3d120a64f44c8c399dbb4ba0a433f5ad7af46d9d071f93715332f3cae
Opcode Fuzzy Hash: 822180ed3cc3b1194037bd32ec6572cb2004722a34a9e053ec8c3012038f3623
Instruction Fuzzy Hash: 13D01731F002282B8B58EAB998506EEBAEA9B85168B5484799109E7B40EF3198168794

Function 01200E08 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3810683597.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea04e4d19b119a862d9fb3dc9dd37c7da18db10481f8f1e127dfca758021de9
Instruction ID: f9f324026051f0b3353e1b0e5dcf23dfdffd2dd3ab92075483cacfc32fcaa7bd
Opcode Fuzzy Hash: aea04e4d19b119a862d9fb3dc9dd37c7da18db10481f8f1e127dfca758021de9
Instruction Fuzzy Hash: 13E02C3020A3408FCB039B38C804AA97FB01F87204F8882AAC1448F2B3C639C806C700

Function 01200DD1 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3810683597.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ca3c331c183a50aaf0990bbe82438f08ae924ef406ff367b79ad01dc48339b
Instruction ID: 6015e3c60579c2003704aeca899ceb5ff8d6a0aaf00d205ebd8c7a27f7aab4ce
Opcode Fuzzy Hash: b8ca3c331c183a50aaf0990bbe82438f08ae924ef406ff367b79ad01dc48339b
Instruction Fuzzy Hash: 09E0C2302253408FD7075B34D814BA13FF16B82214F4D82E6D9448B7A3DA28CC85C790

Function 00E023F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3810330471.0000000000E02000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e02000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b391e967e0f9d0116567ead3decaefd39d5bba3a084f6b4d56ea09c206fd3992
Instruction ID: a059440542158f6d3e3734fbae71d879466c10ca07f2c1f65227595b842dd126
Opcode Fuzzy Hash: b391e967e0f9d0116567ead3decaefd39d5bba3a084f6b4d56ea09c206fd3992
Instruction Fuzzy Hash: 57D05E792056C14FD3169A1CC2A8B9537D4AB51718F4A44FDAC408B7A3C768D9C5E640

Function 00E023BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3810330471.0000000000E02000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e02000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab631c6dddf077b46442c268d1b0c524c7559c50e19699aa1d752ed303566783
Instruction ID: 40f91b2472995096554275db02e4d9dce681d2210c59f0ecc9e06933d8f50b45
Opcode Fuzzy Hash: ab631c6dddf077b46442c268d1b0c524c7559c50e19699aa1d752ed303566783
Instruction Fuzzy Hash: 87D05E342006824BCB15DA0CD6D8F5937D8AB40718F1A44ECBC108B7A6C7BCD8C5CA00

Function 01200DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3810683597.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0d26f793c8268d8b92da81aa2fdc5c6c4cca98c2c2da921dd0a5bafd79d1c4
Instruction ID: 15c6dfc6fcd92c97abd0fd476866d2ab249d1e549d628c375fce40cca751a2dd
Opcode Fuzzy Hash: bb0d26f793c8268d8b92da81aa2fdc5c6c4cca98c2c2da921dd0a5bafd79d1c4
Instruction Fuzzy Hash: 58C012302102048BE706A769D418F2677965BD0244F45C66496080B3E6DA70EC80C684

Function 01200E18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3810683597.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10e2bb533ebf946fc475be9996dfd1523f765e58d13845a272a93b1ef2892c4
Instruction ID: bd23dca78cbfb53185d0caa227c4ca23467332cef61ac506919c4dcde6daf8e9
Opcode Fuzzy Hash: b10e2bb533ebf946fc475be9996dfd1523f765e58d13845a272a93b1ef2892c4
Instruction Fuzzy Hash: D3C012302102048BE705A769D558F2A77955BD5244F84C264A6081B3E6DA70EC40C644

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MDE_File_Sample_5c36f343639864ca048d9aff98fc24b2e8bfbb7c.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Static File Info

General

File Icon

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: unarchiver.exePID: 8632, Parent PID: 3084

General

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Other File Operations

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Sections loaded by Program

Registry Activities

Key Opened

Key Value Queried

Windows Analysis Report
MDE_File_Sample_5c36f343639864ca048d9aff98fc24b2e8bfbb7c.zip