Create Interactive Tour

Windows Analysis Report
OpenSSH-Win64.zip

Overview

General Information

Sample Name:OpenSSH-Win64.zip
Analysis ID:634742
MD5:2b18fe81c9b573a60d2adad72c44863d
SHA1:25e3848b88f8edc1a7ae005870bb2af897349451
SHA256:8b3b9782522132b16e024ae8e0b17ad2cb16a964dc84588c3bf05f275c733afd
Infos:

Detection

Score:24
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Creates files with lurking names (e.g. Crack.exe)
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Found dropped PE file which has not been started or loaded
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
  • System is w10x64
  • unarchiver.exe (PID: 6808 cmdline: C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\OpenSSH-Win64.zip MD5: F737DE1D0C50E20064ACCB6647B50F6C)
    • 7za.exe (PID: 6840 cmdline: C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\mnewwgmq.irc" "C:\Users\user\Desktop\OpenSSH-Win64.zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
      • conhost.exe (PID: 6868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\LICENSE.txtJump to behavior
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\__MACOSX\OpenSSH-Win64\._LICENSE.txtJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh-agent.pdbl source: ssh-agent.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh-agent.pdb source: ssh-agent.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh-sk-helper.pdb source: ssh-sk-helper.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\sftp-server.pdb source: sftp-server.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh-keyscan.pdb source: ssh-keyscan.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh-keygen.pdb source: ssh-keygen.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\sftp.pdb source: sftp.exe
Source: Binary string: C:\LibreSSL\build_X64\crypto\Release\libcrypto.pdb& source: libcrypto.dll
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh.pdb source: ssh.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh-pkcs11-helper.pdbq source: ssh-pkcs11-helper.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh-pkcs11-helper.pdb source: ssh-pkcs11-helper.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\scp.pdb source: scp.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\sftp.pdbO source: sftp.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh-add.pdb source: ssh-add.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh-add.pdb{ source: ssh-add.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh-shellhost.pdb source: ssh-shellhost.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\sftp-server.pdbK source: sftp-server.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\scp.pdbM source: scp.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\sshd.pdb source: sshd.exe
Source: Binary string: C:\LibreSSL\build_X64\crypto\Release\libcrypto.pdb source: libcrypto.dll
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 027909D3h0_2_027902A8
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 027909D2h0_2_027902A8
Source: LICENSE.txt, NOTICE.txtString found in binary or memory: http://www.cs.hut.fi/crypto
Source: NOTICE.txtString found in binary or memory: http://www.openssl.org/)
Source: FixHostFilePermissions.ps1String found in binary or memory: https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH.
Source: manifest.spdx.jsonString found in binary or memory: https://sbom.microsoft/1:2QSF7qZlbE-F7QrUJlEo7g:Ifmy0CRpKEe0S33n1Rdb-w/1908:250564/OpenSSH:8.9.1.0:e
Source: unarchiver.exe, 00000000.00000002.309613752.0000000000B60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

barindex
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-keygen.exeJump to behavior
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\__MACOSX\OpenSSH-Win64\._ssh-keygen.exeJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_00DC24770_2_00DC2477
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_027902A80_2_027902A8
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_027902980_2_02790298
Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\OpenSSH-Win64.zip
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\mnewwgmq.irc" "C:\Users\user\Desktop\OpenSSH-Win64.zip
Source: C:\Windows\SysWOW64\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\mnewwgmq.irc" "C:\Users\user\Desktop\OpenSSH-Win64.zipJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6868:120:WilError_01
Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\32fpwng5.x3vJump to behavior
Source: scp.exeString found in binary or memory: ssh-pkcs11-helper.exe
Source: scp.exeString found in binary or memory: ssh-sk-helper.exe
Source: scp.exeString found in binary or memory: "%s" exists but is not a directorylocal opendir "%s": %slocal lstat "%s": %supload "%s" to "%s" failedupload "%s": path canonicalization failedupload_dirhandle_dest_replies%u outstanding repliespoll: %sdest parseReceived dest reply T:%u I:%u R:%uparse dest statusdest SSH2_FXP_STATUS %udone: %u outstanding repliescrossload src "%s" to dst "%s"do_crossloadoriginReceived origin reply T:%u I:%u R:%dcompose writeSent message SSH2_FXP_WRITE I:%u O:%llu S:%zuwaiting for %u replies from destinationtruncating "%s" at 0dest truncate "%s" failedread origin "%s": %swrite dest "%s": %scrossload dir src "%s" to dst "%s"crossload_dir_internalstat remote "%s" failedOrigin did not send permissions for directory "%s"origin readdir "%s" failedcrossload "%s" to "%s" failedorigin "%s": not a regular filecrossload "%s": path canonicalization failedcrossload_dirGot file attribute "%.100s" len %zu..\..\..\sftp-common.cNo errorEnd of fileNo such file or directoryPermission deniedFailureBad messageNo connectionConnection lostOperation unsupportedUnknown statusc28fc6f98a2c44abbbd89d6a3037d0d9_POSIX_FD_STATEc28fc6f98a2c44abbbd89d6a3037d0d9_POSIX_CHROOTERROR: MAX_FDS limit reachedfd_table_get_min_indexC:\OpenSSH\contrib\win32\openssh\..\..\..\contrib\win32\win32compat\w32fd.cunable to retrieve wpgmptrinit_prog_pathsProgramDatacouldn't find ProgramData environment variablefailed to initialize w32posix wrapperw32posix_initialize%s ERROR: bad fd: %dw32_readw32_writew32_writevw32_fstatw32_lseekfdopen - ERROR bad fd: %dw32_fdopenfcntl - ERROR unsupported flags %d, io:%pw32_io_process_fd_flagsfcntl - SetHandleInformation failed with error:%d, io:%pw32_fcntlfcntl - ERROR not supported cmd:%dselect - ERROR: invalid fds: %dw32_selectselect - ERROR: null fd_setsselect - ERROR: empty fd_setsselect - ERROR: max #events breachselect - ERROR: max #events reached for selectWSADuplicateSocket failed, WSALastError: %ddup_handleWSASocketW failed, WSALastError: %ddup - ERROR: DuplicatedHandle() :%dw32_dup2w32_dupw32_ftruncatew32_fchmodw32_fsyncsshd.exeFIDO_DEBUGssh-pkcs11-helper.exessh-sk-helper.exeCreating process with CREATE_NO_WINDOWspawn_child_internalspawning %ls as subprocessCreateProcessW%s failed error:%dfd_decode_state/%s\*.*...Address already in useAddress not availableAddress family not supportedConnection already in progressOperation canceledConnection abortedConnection refusedConnection resetDestination address requiredHost is unreachableIdentifier removedOperation in progressSocket is connectedToo many levels of symbolic linksMessage too longNetwork is downConnection aborted by networkNetwork unreachableNo buffer space availableNo message is available on the STREAM head read queueLink has been severedNo message of the desired typeProtocol not availableNo STREAM resourcesNot a STREAMThe socket is not connectedenotrecoverableNot a socketOperation not supportedOperation not supported on socketeotherValue too large to be stored in data typeeownerdeadProtocol errorProtocol not support
Source: scp.exeString found in binary or memory: [2Jfcntl(%d, F_GETFL): %sset_nonblockC:\OpenSSH\contrib\win32\openssh\..\..\..\misc.cfd %d is O_NONBLOCKfd %d setting O_NONBLOCKfcntl(%d, F_SETFL, O_NONBLOCK): %sunset_nonblockfd %d is not O_NONBLOCKfd %d clearing O_NONBLOCKfcntl(%d, F_SETFL, ~O_NONBLOCK): %s*tcp:/://addargs: argument too longaddargsreplacearg: argument too longreplaceargreplacearg: tried to replace invalid arg %d >= %dinvalid formatCouldn't open /dev/null: %s
Source: sftp-server.exeString found in binary or memory: BKMGTPEambiguous option -- %.*soption doesn't take an argument -- %.*sunknown option -- %coption requires an argument -- %sunknown option -- %soption requires an argument -- %cexpand 32-byte kexpand 16-byte kABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/out of memorywmainC:\OpenSSH\contrib\win32\openssh\..\..\..\contrib\win32\win32compat\wmain_common.cSSH_AUTH_SOCKSSH_AUTH_SOCK=\\.\pipe\openssh-ssh-agentTERMTERM=xterm-256colorSOFTWARE\OpenSSHDefaultShellDefaultShellCommandOptionDefaultShellArgumentsDefaultShellEscapeArguments\cmd.exeget_passwd%s failed to duplicate %sC:\OpenSSH\contrib\win32\openssh\..\..\..\contrib\win32\win32compat\pwd.c/%s: lookup_sid() failed: %d.%s: LookupAccountSid() failed: %d.%s: Invalid account type: %d.GetComputerNameW() failed with error:%d%s\%sSOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%lsProfileImagePathGetWindowsDirectoryW failed with %dgetpwnam_placeholdersshd-Address already in useAddress not availableAddress family not supportedConnection already in progressOperation canceledConnection abortedConnection refusedConnection resetDestination address requiredHost is unreachableIdentifier removedOperation in progressSocket is connectedToo many levels of symbolic linksMessage too longNetwork is downConnection aborted by networkNetwork unreachableNo buffer space availableNo message is available on the STREAM head read queueLink has been severedNo message of the desired typeProtocol not availableNo STREAM resourcesNot a STREAMThe socket is not connectedenotrecoverableNot a socketOperation not supportedOperation not supported on socketeotherValue too large to be stored in data typeeownerdeadProtocol errorProtocol not supportedProtocol wrong type for socketTimer expiredConnection timed outText file busyOperation would blockC:\OpenSSH\contrib\win32\openssh\..\..\..\contrib\win32\win32compat\misc.c/dev/nullNUL%s is not in chroot jailmemcpy_s failed with error: %d.****** .exe.cmd.bat.comw32_settimes - CreateFileW ERROR:%dsettimesw32_settimes - SetFileTime ERROR:%dcwd is not currently within chrootw32_getcwd__PROGRAMDATA__/x:/..\
Source: sftp.exeString found in binary or memory: ssh-pkcs11-helper.exe
Source: sftp.exeString found in binary or memory: ssh-sk-helper.exe
Source: sftp.exeString found in binary or memory: [2JC:\OpenSSH\contrib\win32\openssh\..\..\..\misc.c*tcp:/://addargs: argument too longaddargsreplacearg: argument too longreplaceargreplacearg: tried to replace invalid arg %d >= %dNo such user %stilde_expandNo such uid %ld%s%s%sxasprintf failedPath too longinvalid formatCouldn't open /dev/null: %s
Source: ssh-add.exeString found in binary or memory: C:\OpenSSH\contrib\win32\openssh\..\..\..\ssh-add.c
Source: ssh-add.exeString found in binary or memory: usage: ssh-add [-cDdKkLlqvXx] [-E fingerprint_hash] [-S provider] [-t life]
Source: ssh-add.exeString found in binary or memory: ssh-add -s pkcs11
Source: ssh-add.exeString found in binary or memory: ssh-add -e pkcs11
Source: ssh-add.exeString found in binary or memory: ssh-add -T pubkey ...
Source: ssh-add.exeString found in binary or memory: sshkey_newdelete_stdinC:\OpenSSH\contrib\win32\openssh\..\..\..\ssh-add.c(stdin):%d: invalid key(stdin)-Bad key file %s: %s
Source: ssh-add.exeString found in binary or memory: ssh-sk-helper.exe
Source: ssh-add.exeString found in binary or memory: C:\Windows\System32\OpenSSH\ssh-sk-helper.exe
Source: ssh-add.exeString found in binary or memory: out of memorywmainC:\OpenSSH\contrib\win32\openssh\..\..\..\contrib\win32\win32compat\wmain_common.cSSH_AUTH_SOCKSSH_AUTH_SOCK=\\.\pipe\openssh-ssh-agentTERMTERM=xterm-256colorGetModuleFileNameW failedfind_helper_in_module_pathC:\OpenSSH\contrib\win32\openssh\..\..\..\ssh-sk-client.cwcstombs_s failedcouldn't locate trailing \ssh-sk-helper.exeSSH_SK_HELPERC:\Windows\System32\OpenSSH\ssh-sk-helper.exehelper "%s" unusable: path not absolutefind_helperusing "%s" as helpersocketpair: %sstart_helpersshagent_con_username:%ssshagent_client_primary_token is NULL for user:%sfailed to spwan process %sposix_spawnp failedstarted pid=%ldpid=%ldreap_helperwaitpid: %shelper exited with non-zero exit statuscomposeclient_conversesendreceiveparse versionunsupported version: got %u, expected %uparse message typeparsehelper returned error -%uhelper returned incorrect message type %u, expecting %usshsk_load_residentdecode keycalloc failedrecallocarray keys failedsrks[%zu]: %s %s uidlen %zuSOFTWARE\OpenSSHDefaultShellDefaultShellCommandOptionDefaultShellArgumentsDefaultShellEscapeArguments\cmd.exeget_passwd%s failed to duplicate %sC:\OpenSSH\contrib\win32\openssh\..\..\..\contrib\win32\win32compat\pwd.c/%s: lookup_sid() failed: %d.%s: LookupAccountSid() failed: %d.%s: Invalid account type: %d.GetComputerNameW() failed with error:%d%s\%sSOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%lsProfileImagePathGetWindowsDirectoryW failed with %dAddress already in useAddress not availableAddress family not supportedConnection already in progressBad messageOperation canceledConnection abortedConnection refusedConnection resetDestination address requiredHost is unreachableIdentifier removedOperation in progressSocket is connectedToo many levels of symbolic linksMessage too longNetwork is downConnection aborted by networkNetwork unreachableNo buffer space availableNo message is available on the STREAM head read queueLink has been severedNo message of the desired typeProtocol not availableNo STREAM resourcesNot a STREAMThe socket is not connectedenotrecoverableNot a socketOperation not supportedOperation not supported on socketeotherValue too large to be stored in data typeeownerdeadProtocol errorProtocol not supportedProtocol wrong type for socketTimer expiredConnection timed outText file busyOperation would blockfopen - ERROR:%dw32_fopen_utf8C:\OpenSSH\contrib\win32\openssh\..\..\..\contrib\win32\win32compat\misc.c/dev/nullNULFailed to open file:%S error:%d%s is not in chroot jailmemcpy_s failed with error: %d..exe.cmd.bat.comcwd is not currently within chrootw32_getcwd__PROGRAMDATA__/x:/../realpath\unable to alloc memoryreadpassphrase%c
Source: ssh-add.exeString found in binary or memory: ssh-pkcs11-helper.exe
Source: ssh-add.exeString found in binary or memory: C:\OpenSSH\bin\x64\Release\ssh-add.pdb
Source: ssh-add.exeString found in binary or memory: C:\OpenSSH\bin\x64\Release\ssh-add.pdb{
Source: ssh-agent.exeString found in binary or memory: ssh-pkcs11-helper.exe
Source: ssh-agent.exeString found in binary or memory: C:\Windows\System32\OpenSSH\ssh-pkcs11-helper.exe
Source: ssh-agent.exeString found in binary or memory: ssh-pkcs11-helper
Source: ssh-agent.exeString found in binary or memory: ssh-sk-helper.exe
Source: ssh-agent.exeString found in binary or memory: C:\Windows\System32\OpenSSH\ssh-sk-helper.exe
Source: ssh-keygen.exeString found in binary or memory: source-address
Source: ssh-keygen.exeString found in binary or memory: source-address=
Source: ssh-keygen.exeString found in binary or memory: Empty source-address option
Source: ssh-keygen.exeString found in binary or memory: source-address already specified
Source: ssh-keygen.exeString found in binary or memory: Invalid source-address list
Source: ssh-keygen.exeString found in binary or memory: prepare_options_buf%sprepare flag%s=%sprepare k/vforce-commandsource-addresspermit-X11-forwardingpermit-agent-forwardingpermit-port-forwardingpermit-ptypermit-user-rcno-touch-requiredCouldn't load CA public key "%s"load_pkcs11_key%d keysNo PKCS#11 key matching %s founddo_ca_signCannot load CA public key %sCannot use public key for CA signatureRetrieve agent key listCA key %s not found in agentCA key type %s doesn't match specified %srsa-sha2-512Empty principal nameToo many certificate principals specifiedload pubkey "%s"key "%s" type %s cannot be certifiedCould not upgrade key %s to certificatesshkey_from_private (ca key)Couldn't certify %s via agentConfirm user presence for key %s %sUser presence confirmedEnter PIN for CA key: couldn't read PINCouldn't certify key %s%s-cert.pub for Signed %s key %s: id "%s" serial %llu%s%s valid %sInvalid relative certificate time %sparse_relative_timeCertificate time %s cannot be representedInvalid relative certificate life %sparse_cert_timesInvalid certificate life specification %salwaysInvalid from time "%s"foreverInvalid to time "%s"Empty certificate validity intervalclearno-x11-forwardingpermit-x11-forwardingno-agent-forwardingno-port-forwardingno-ptyno-user-rctouch-requiredforce-command=Empty force-command optionadd_cert_optionforce-command already specifiedsource-address=Empty source-address optionsource-address already specifiedInvalid source-address listextension:critical:Unsupported certificate option "%s"sshbuf_fromb failedshow_optionsparse option %sparse critical %s
Source: ssh-keygen.exeString found in binary or memory: ssh-sk-helper.exe
Source: ssh-keygen.exeString found in binary or memory: C:\Windows\System32\OpenSSH\ssh-sk-helper.exe
Source: ssh-keygen.exeString found in binary or memory: -----END SSH SIGNATURE-----Couldn't parse signature: missing footersshbuf_dup_string failedsshbuf_new() faileddecode base64sshsig_wrap_signSSHSIGassemble message to signCouldn't sign message (signer)Couldn't sign messageassemble signature objectCouldn't verify signature: invalid formatsshsig_parse_preambleSignature version %lu is larger than supported version %usha256,sha512unsupported hash algorithm "%.100s"sshsig_check_hashalgparse signature objectsshsig_peek_hashalgverify message length %zusshsig_wrap_verifyassemble message to verifySignature contains trailing dataCouldn't verify signature: namespace does not matchexpected namespace "%s" received "%s"Couldn't verify signature: hash algorithm mismatchexpected algorithm "%s" received "%s"Couldn't verify signature: unable to get signature typersa-sha2-512,rsa-sha2-256Couldn't verify signature: unsupported RSA signature algorithm %sSignature verification failedcan't look up hash algorithm %sfinal hash: %ssha512signature made with hash "%s"hash_filessh_digest_start failedread: %shashed %zu bytesssh_digest_updatessh_digest_finalsshsig_sign_fdEnter PIN for %s key: sshsig_verify_fdcert-authoritynamespacesmultiple "namespaces" clausesvalid-aftermultiple "valid-after" clausesinvalid "valid-after" timevalid-beforemultiple "valid-before" clausesinvalid "valid-before" timeunknown key optionunexpected end-of-options"valid-before" time is before "valid-after"parse_principals_key_and_optionsstrdup failed%s:%lu: matched principal "%s"%s:%lu: invalid options%s:%lu: options %s%s:%lu: bad options: %s%s:%lu: principal "%s" not authorized: %scert_filter_principals%s:%lu: no valid principals found%s:%lu: matched keycheck_allowed_keys_line%s:%lu: certificate not authorized: %s%s:%lu: matched certificate CA key%s:%lu: cert_filter_principals%s:%lu: key is not permitted for use in signature namespace "%s"%s:%lu: key is not yet valid: verify time %s < valid-after %s%s:%lu: key has expired: verify time %s > valid-before %sUnable to open allowed keys file "%s": %ssshsig_find_principalsUnable to read allowed keys file "%s": %ssshsig_match_principalsout of memorywmainC:\OpenSSH\contrib\win32\openssh\..\..\..\contrib\win32\win32compat\wmain_common.cSSH_AUTH_SOCKSSH_AUTH_SOCK=\\.\pipe\openssh-ssh-agentTERMTERM=xterm-256colorGetModuleFileNameW failedfind_helper_in_module_pathC:\OpenSSH\contrib\win32\openssh\..\..\..\ssh-sk-client.cwcstombs_s failedcouldn't locate trailing \ssh-sk-helper.exeSSH_SK_HELPERC:\Windows\System32\OpenSSH\ssh-sk-helper.exehelper "%s" unusable: path not absolutefind_helperusing "%s" as helpersocketpair: %sstart_helpersshagent_con_username:%ssshagent_client_primary_token is NULL for user:%sfailed to spwan process %sposix_spawnp failedstarted pid=%ldpid=%ldreap_helperwaitpid: %shelper exited with non-zero exit statuscomposeclient_conversesendreceiveparse versionunsupported version: got %u, expected %uparse message typehelper returned error -%uhelper returned incorrect message type %u, expecting %uencode ke
Source: ssh-keygen.exeString found in binary or memory: ssh-pkcs11-helper.exe
Source: ssh-pkcs11-helper.exeString found in binary or memory: C:\OpenSSH\contrib\win32\openssh\..\..\..\ssh-pkcs11-helper.c
Source: ssh-pkcs11-helper.exeString found in binary or memory: ssh-sk-helper.exe
Source: ssh-pkcs11-helper.exeString found in binary or memory: ssh-pkcs11-helper.exe
Source: ssh-pkcs11-helper.exeString found in binary or memory: check %s %s %slookup_keyC:\OpenSSH\contrib\win32\openssh\..\..\..\ssh-pkcs11-helper.cenqueuesend_msgsshbuf_new failedprocess_addparsecomposeencode keycompose keyprocess_delprocess_signdecode keyECDSA_sign returned %ddon't know how to sign with key type %dcompose responsecompose failure responsebad message len %dprocessparse type/lenUnknown message %diqueue grew unexpectedlymsg_len %d < consumed %dconsumevusage: %s [-v]
Source: ssh-pkcs11-helper.exeString found in binary or memory: mainreservepoll: %sread eofread: %ssshbuf_putwrite: %sprovider "%s" refcount %d valid %dpkcs11_provider_finalizeC:\OpenSSH\contrib\win32\openssh\..\..\..\ssh-pkcs11.cC_CloseSession failed: %luC_Finalize failed: %luprovider "%s" refcount %dpkcs11_provider_unrefprovider "%s" still validcheck provider "%s"pkcs11_provider_lookupparent %p ptr %p idx %dpkcs11_k11_freeC_FindObjectsInit failed (nattr %lu): %lupkcs11_findC_FindObjects failed (nfound %lu nattr %lu): %luC_FindObjectsFinal failed: %luno pkcs11 (valid) provider foundpkcs11_login_slot on reader keypadneed pin entry%sDeferring PIN entry to reader keypad.Enter PIN for '%s': no pin specifiedPKCS#11 login failed: PIN length out of rangePKCS#11 login failed: PIN incorrectPKCS#11 login failed: PIN lockedPKCS#11 login failed: error %lupkcs11_loginpkcs11_check_obj_bool_attribC_GetAttributeValue failed: %luprovider "%s" slot %lu object %lu: attrib %lu = %dpkcs11_get_keylogin failedcannot find private keyC_SignInit failed: %lualways-auth keylogin failed for always-auth keyRSA_get_ex_data failedpkcs11_rsa_private_encryptpkcs11_get_key failedC_Sign failed: %lussh-pkcs11-rsapkcs11setup pkcs11 method failedpkcs11_rsa_start_wrapperpin requiredpkcs11_open_sessionC_OpenSession failed: %luC_Login failed: %lupkcs11_fetch_rsa_pubkeyinvalid attribute lengthRSA_new failedBN_bin2bn failedset keysshkey_new failedpkcs11_fetch_x509_pubkeyinvalid subjectd2i_x509 failedX509_get_pubkey failedinvalid x509; no rsa keyRSAPublicKey_dup failedunknown certificate key typesshkey_fingerprint failednote_key%s: provider %s slot %lu: %s %sC_FindObjectsInit failed: %lupkcs11_fetch_certsC_FindObjects failed: %lufailed to fetch keyskipping unsupported certificate type %lukey already includedhave %d keyspkcs11_fetch_keysskipping unsupported key typeprovider already registered: %spkcs11_register_providerdlopen %s failed: %sC_GetFunctionListdlsym(C_GetFunctionList) failed: %sC_GetFunctionList for provider %s failed: %luC_Initialize for provider %s failed: %luC_GetInfo for provider %s failed: %luprovider %s: manufacturerID <%s> cryptokiVersion %d.%d libraryDescription <%s> libraryVersion %d.%dC_GetSlotList failed: %luprovider %s returned no slotsC_GetSlotList for provider %s failed: %luC_GetTokenInfo for provider %s slot %lu failed: %luignoring uninitialised token in provider %s slot %luprovider %s slot %lu: label <%s> manufacturerID <%s> model <%s> serial <%s> flags 0x%lxC_Finalize for provider %s failed: %luprovider %s returned no keyspkcs11_add_providerssh-sk-helper.exeout of memorywmainC:\OpenSSH\contrib\win32\openssh\..\..\..\contrib\win32\win32compat\wmain_common.cSSH_AUTH_SOCKSSH_AUTH_SOCK=\\.\pipe\openssh-ssh-agentTERMTERM=xterm-256colorc28fc6f98a2c44abbbd89d6a3037d0d9_POSIX_FD_STATEc28fc6f98a2c44abbbd89d6a3037d0d9_POSIX_CHROOTERROR: MAX_FDS limit reachedfd_table_get_min_indexC:\OpenSSH\contrib\win32\openssh\..\..\..\contrib\win32\win32compat\w32fd.cunable to retrieve wpgmptrinit_prog_paths%s out of memoryProgramDatacouldn't find P
Source: ssh-pkcs11-helper.exeString found in binary or memory: C:\OpenSSH\bin\x64\Release\ssh-pkcs11-helper.pdb
Source: ssh-pkcs11-helper.exeString found in binary or memory: C:\OpenSSH\bin\x64\Release\ssh-pkcs11-helper.pdbq
Source: ssh-sk-helper.exeString found in binary or memory: C:\OpenSSH\contrib\win32\openssh\..\..\..\ssh-sk-helper.c
Source: ssh-sk-helper.exeString found in binary or memory: %s: %sreply_errorC:\OpenSSH\contrib\win32\openssh\..\..\..\ssh-sk-helper.cinvalid error code %d%s: sshbuf_new failed%s: buffer error%s: parseprocess_sign%s: trailing data in request%s: Unable to parse private key%s: Unsupported key type %sssh:%s: web-origin keyready to sign with key %s, provider %s: msg len %zu, compat 0x%lxSigning failed: %s%s: composeprocess_enroll%s: bad type %u%s: bogus applicationEnrollment failed: %s%s: encode keyprocess_load_residentsshsk_load_resident failed: %s%s: non-ssh applicationkey %zu %s %s uidlen %zu%s: compose keyvusage: %s [-v]
Source: ssh-sk-helper.exeString found in binary or memory: C:\OpenSSH\bin\x64\Release\ssh-sk-helper.pdb
Source: ssh.exeString found in binary or memory: found %s key under different name/addr at %s:%ld
Source: ssh.exeString found in binary or memory: host key found matching a different name/address, skipping UserKnownHostsFile update
Source: ssh.exeString found in binary or memory: This host key is known by the following other names/addresses:
Source: ssh.exeString found in binary or memory: ssh-sk-helper.exe
Source: ssh.exeString found in binary or memory: C:\Windows\System32\OpenSSH\ssh-sk-helper.exe
Source: ssh.exeString found in binary or memory: get_hostfile_hostname_ipaddr<no hostip for proxy command>using hostkeyalias: %sHOME~/%sfound matching key in %s:%luhostkeys_find_by_key_cb|1|[hashed name]%s:%lu: %strying %s hostfile "%s"hostkeys_find_by_key_hostfilesystemThis key is not known by any other namesThis host key is known by the following other names/addresses: %s (%d additional names omitted)KnownHostsCommand-%sload_hostkeys_commandsshkey_to_base64 failed%s "%s" contains invalid quotes%s "%s" yielded no argumentsKftIHpercent_expand failedKnownHostsCommand failedForcing accepting of host key for loopback/localhost.check_host_keyHOSTNAMEADDRESSHost '%.200s' is known and matches the %s host %s.CA keyFound %s in %s:%lucertificate host key in use; disabling UpdateHostkeyshost key found in GlobalKnownHostsFile; disabling UpdateHostkeyshost key found via KnownHostsCommand; disabling UpdateHostkeys%s host key for IP address '%.128s' not in list of known hosts.Failed to add the %s host key for IP address '%.128s' to the list of known hosts (%.500s).Warning: Permanently added the %s host key for IP address '%.128s' to the list of known hosts.Host key fingerprint is %s
Source: ssh.exeString found in binary or memory: %sinput_gssapi_erroruserauth_nonePermission denied, please try again.userauth_passwd%s@%s's password: input_userauth_passwd_changereqinput_userauth_passwd_changereq: no authentication contextEnter %.30s@%.128s's old password: Enter %.30s@%.128s's new password: Retype %.30s@%.128s's new password: Mismatch; try again, EOF to quit.rsa-sha2-256,rsa-sha2-512private key %s contents do not match publicidentity_signEnter PIN for %s key %s: fingerprint failedConfirm user presence for key %s %ssshkey_signsshkey_check_sigtypeUser presence confirmed.pub-cert.pubpublickey-hostbound-v00@openssh.comusing %s with %s %ssign_and_send_pubkey from agentusing private key "%s"%s for certificateno separate private key for certificate "%s"no mutual signature supportedsigning using %s %ssshbuf_putbsshbuf_put_stringbassemble signed datainternal error: initial hostkey not recordedassemble %s hostkeyagent token %skey %s %s returned incorrect signature typesigning failedsigning failed for %s "%s"%sno signatureappend signatureconsumeenqueue requestno mutual signature algorithmsend_pubkey_testcannot handle keyno such identity: %s: %sload_identity_fileEnter passphrase for key '%.100s': no passphrase given, try next keybad passphrase given, try again...Load key "%s"key "%s" is an authenticator-hosted key, but no provider specifiedrsa-sha2-512-cert-v01@openssh.comrsa-sha2-256-cert-v01@openssh.comget_agent_identitiesssh_fetch_identitylistagent returned %zu keysignoring certificate %s: not a user certificatepubkey_prepareignoring authenticator-hosted key %s as no SecurityKeyProvider has been specifiedignoring authenticator-hosted key certificate %s as no SecurityKeyProvider has been specifiedSkipping %s key %s - corresponding algo not in PubkeyAcceptedAlgorithmsWill attempt key: %sdoneSkipped %s key %s for RSA/MD5 servertry_identityOffering public key: %suserauth_pubkeyTrying private key: %suserauth_kbdint: disable: no info_req_seenuserauth_kbdintinput_userauth_info_reqnum_prompts %d(%s@%s) %sasmprintf failed/usr/libexec/ssh-keysignnot installed: %sssh_keysignfflush: %spipe: %sdup2: %s[child] pid=%ld, exec %sexec(%s): %scouldn't send requestno replywaitpid %ld: %sexited with status %dbad versiontrying key type %suserauth_hostbasedNo more client hostkeys for hostbased authentication.trying hostkey %s %s using sigalg %scannot get local ipaddr/name%s.chost %ssshkey_to_blobsign using hostkey %s %s failedpacket errorUnrecognized authentication method name: %sauthmethod_lookupstart over, passed a different list %sauthmethod_getpreferred %sNo more authentication methods to try.authmethod_lookup %sremaining preferred: %sauthmethod_is_enabled %sNext authentication method: %sauthmethods_getsshbuf_dup_string failedout of memorywmainC:\OpenSSH\contrib\win32\openssh\..\..\..\contrib\win32\win32compat\wmain_common.cSSH_AUTH_SOCK=\\.\pipe\openssh-ssh-agentTERM=xterm-256colorGetModuleFileNameW failedfind_helper_in_module_pathC:\OpenSSH\contrib\win32\openssh\..\..\..\ssh-sk-client.cwcstombs_s faile
Source: ssh.exeString found in binary or memory: ssh-pkcs11-helper.exe
Source: ssh.exeString found in binary or memory: character conversion failed%cInvalid parameter in function: %ls. File: %ls Line: %d.invalid_parameter_handlerExpression: %sfailed to retrieve the owner sid and dacl of file: %ls with error code: %dget_others_file_permissionsIsValidSid: %d; NULL Acl: %d; IsValidAcl: %dGetAce() failedConvertStringSecurityDescriptorToSecurityDescriptorW failed with error code %dIsValidSecurityDescriptor return FALSEfailed to set the environment variable:%s to value:%s, error:%dc28fc6f98a2c44abbbd89d6a3037d0d9_POSIX_CHROOTunable to know if I am running as systemam_systemadministratorsresolveAsAdminsSid:%dlookup_sidFailed to allocate memoryFailed to retrieve SID for user:%S error:%dGetComputerNameW() failed with error:%dInvalid account type: %d for user:%Slocal user name is same as machine name\sftp-server.exebuild_commandline_string%s invalid argument cmd:%sfailed to duplicate %sSSH_TEST_ENVIRONMENT/cygdrive/getpeereid%s is not supportedgetrrsetbynamec28fc6f98a2c44abbbd89d6a3037d0d9_POSIX_FD_STATEERROR: MAX_FDS limit reachedfd_table_get_min_indexC:\OpenSSH\contrib\win32\openssh\..\..\..\contrib\win32\win32compat\w32fd.cunable to retrieve wpgmptrinit_prog_paths%s out of memoryProgramDatacouldn't find ProgramData environment variablefailed to initialize w32posix wrapperw32posix_initializew32_accept%s ERROR: bad fd: %d%s ERROR: not sock :%dUnix domain server sockets are not supportedw32_setsockoptw32_getsockoptw32_getsocknamew32_getpeernamew32_listenw32_bindw32_connectw32_shutdownw32_readw32_writew32_fstatfdopen - ERROR bad fd: %dw32_fdopenfcntl - ERROR unsupported flags %d, io:%pw32_io_process_fd_flagsfcntl - SetHandleInformation failed with error:%d, io:%pw32_fcntlfcntl - ERROR not supported cmd:%dselect - ERROR: invalid fds: %dw32_selectselect - ERROR: null fd_setsselect - ERROR: empty fd_setsselect - ERROR: max #events breachselect - ERROR: max #events reached for selectWSADuplicateSocket failed, WSALastError: %ddup_handleWSASocketW failed, WSALastError: %ddup - ERROR: DuplicatedHandle() :%dw32_dup2w32_dupfork is not supportedforksshd.exeFIDO_DEBUGssh-pkcs11-helper.exeCreating process with CREATE_NO_WINDOWspawn_child_internalspawning %ls as userspawning %ls as subprocessCreateProcessAsUserWCreateProcessW%s failed error:%dfd_decode_stateacceptEx - getsockname() ERROR:%d, io:%psocketio_acceptExC:\OpenSSH\contrib\win32\openssh\..\..\..\contrib\win32\win32compat\socketio.cacceptEx - socket() ERROR:%d, io:%pacceptEx - AcceptEx() ERROR:%d, io:%pWSARecv - ERROR:%d, io:%psocketio_WSARecvWSARecv - WSARecv() ERROR: io:%p %dsocket - ERROR:%d, io:%psocketio_socketsocket - socket() ERROR:%d, io:%psocketio_setsockopt%s - ERROR:%dsetsockop - ERROR: unsupported optname:%d io:%psocketio_getsockoptsocketio_getsocknamesocketio_getpeernamelisten - listen() ERROR:%d io:%psocketio_listenlisten - ERROR:%d, io:%plisten - Ioctl1 ERROR:%d, io:%plisten - Ioctl2 ERROR:%d, io:%plisten - CreateEvent() ERROR:%d, io:%psocketio_bindrecv - ERROR: invalid arguments, buf:%p, len:%d, io:%psocketio_recv
Source: sshd.exeString found in binary or memory: source-address
Source: sshd.exeString found in binary or memory: Certificate has multiple source-address options
Source: sshd.exeString found in binary or memory: Certificate source-address contents invalid
Source: sshd.exeString found in binary or memory: sshbuf_fromb failedcert_option_listC:\OpenSSH\contrib\win32\openssh\..\..\..\auth-options.cUnable to parse certificate optionsfound certificate option "%.100s" len %zuno-touch-requiredpermit-X11-forwardingpermit-agent-forwardingpermit-port-forwardingpermit-ptypermit-user-rcverify-requiredforce-commandUnable to parse "%s" sectionCertificate has multiple force-command optionssource-addressCertificate has multiple source-address optionsCertificate source-address contents invalidCertificate critical option "%s" is not supportedCertificate extension "%s" is not supportedCertificate option "%s" corrupt (extra data)unknown errortoo many permission directives*:%smemory allocation failedinvalid permission hostname*invalid permission portrestrictcert-authorityport-forwardingagent-forwardingx11-forwardingtouch-requiredptyuser-rccommandmultiple "command" clausesprincipalsmultiple "principals" clausesfrommultiple "from" clausesexpiry-timeinvalid expires timeenvironmenttoo many environment stringsinvalid environment stringpermitopenpermitlistentunnelinvalid tun deviceunknown key optionunexpected end-of-optionsinternal errorforced command options do not matchyestrueUser %s hosts file %s is not a regular filecheck_rhosts_fileC:\OpenSSH\contrib\win32\openssh\..\..\..\auth-rhosts.crNO_PLUS%1023s %1023s %1023sFound empty line in %.100s.Found garbage in %.100s.Ignoring wild host/user names in %.100s.Matched negative entry in %.100s..shosts.rhostsclientuser %s hostname %s ipaddr %sauth_rhosts2%s/%s/etc/hosts.equiv__PROGRAMDATA__\ssh/shosts.equivno hosts access files existroot user, ignoring system hosts filesAccepted for %.100s [%.100s] by /etc/hosts.equiv.Accepted for %.100s [%.100s] by %.100s.Rhosts authentication refused for %.100s: no home directory %.200sRhosts authentication refused for %.100s: bad ownership or modes for home directory.Rhosts authentication refused for %.100s: bad modes for %.200sBad file modes for %.200sServer has been configured to ignore %.100s.Accepted by %.100s.Accepted host %s ip %s client_user %s server_user %s`
Source: sshd.exeString found in binary or memory: %s: Certificate source-address invalid
Source: sshd.exeString found in binary or memory: ssh-sk-helper.exe
Source: sshd.exeString found in binary or memory: C:\Windows\System32\OpenSSH\ssh-sk-helper.exe
Source: sshd.exeString found in binary or memory: ssh-pkcs11-helper.exe
Source: classification engineClassification label: sus24.evad.winZIP@4/57@0/0
Source: OpenSSH-Win64.zipStatic file information: File size 4389599 > 1048576
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh-agent.pdbl source: ssh-agent.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh-agent.pdb source: ssh-agent.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh-sk-helper.pdb source: ssh-sk-helper.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\sftp-server.pdb source: sftp-server.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh-keyscan.pdb source: ssh-keyscan.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh-keygen.pdb source: ssh-keygen.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\sftp.pdb source: sftp.exe
Source: Binary string: C:\LibreSSL\build_X64\crypto\Release\libcrypto.pdb& source: libcrypto.dll
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh.pdb source: ssh.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh-pkcs11-helper.pdbq source: ssh-pkcs11-helper.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh-pkcs11-helper.pdb source: ssh-pkcs11-helper.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\scp.pdb source: scp.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\sftp.pdbO source: sftp.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh-add.pdb source: ssh-add.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh-add.pdb{ source: ssh-add.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\ssh-shellhost.pdb source: ssh-shellhost.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\sftp-server.pdbK source: sftp-server.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\scp.pdbM source: scp.exe
Source: Binary string: C:\OpenSSH\bin\x64\Release\sshd.pdb source: sshd.exe
Source: Binary string: C:\LibreSSL\build_X64\crypto\Release\libcrypto.pdb source: libcrypto.dll
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-agent.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\libcrypto.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-keygen.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-add.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-pkcs11-helper.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-keyscan.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-shellhost.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-sk-helper.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\sftp.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\sshd.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\sftp-server.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\scp.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\LICENSE.txtJump to behavior
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\__MACOSX\OpenSSH-Win64\._LICENSE.txtJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6828Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\libcrypto.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-agent.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-keygen.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-add.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-pkcs11-helper.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-keyscan.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-shellhost.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-sk-helper.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\sftp.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\sshd.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\scp.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\sftp-server.exeJump to dropped file
Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_00DCB042 GetSystemInfo,0_2_00DCB042
Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: OpenSSHUtils.psd1Binary or memory string: # IFBDQSAyMDEwAhMzAAABlbf8DdbjNzElAAEAAAGVMCIEIKxw5U3QTCROpE5Pp7yi
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\mnewwgmq.irc" "C:\Users\user\Desktop\OpenSSH-Win64.zipJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Command and Scripting Interpreter
Path Interception11
Process Injection
1
Masquerading
1
Input Capture
1
Security Software Discovery
Remote Services1
Input Capture
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools
LSASS Memory21
Virtualization/Sandbox Evasion
Remote Desktop Protocol1
Archive Collected Data
Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
Virtualization/Sandbox Evasion
Security Account Manager3
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
Process Injection
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information
LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 634742 Sample: OpenSSH-Win64.zip Startdate: 26/05/2022 Architecture: WINDOWS Score: 24 6 unarchiver.exe 5 2->6         started        process3 8 7za.exe 70 6->8         started        file4 14 C:\Users\user\AppData\...\ssh-keygen.exe, PE32+ 8->14 dropped 16 C:\Users\user\AppData\...\._ssh-keygen.exe, AppleDouble 8->16 dropped 18 C:\Users\user\AppData\Local\Temp\...\sshd.exe, PE32+ 8->18 dropped 20 11 other files (none is malicious) 8->20 dropped 22 Creates files with lurking names (e.g. Crack.exe) 8->22 12 conhost.exe 8->12         started        signatures5 process6

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\libcrypto.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\libcrypto.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\scp.exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\scp.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\sftp-server.exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\sftp-server.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\sftp.exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\sftp.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-add.exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-add.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-agent.exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-agent.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-keygen.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-keyscan.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\mnewwgmq.irc\OpenSSH-Win64\ssh-pkcs11-helper.exe0%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://sbom.microsoft/1:2QSF7qZlbE-F7QrUJlEo7g:Ifmy0CRpKEe0S33n1Rdb-w/1908:250564/OpenSSH:8.9.1.0:e0%Avira URL Cloudsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://sbom.microsoft/1:2QSF7qZlbE-F7QrUJlEo7g:Ifmy0CRpKEe0S33n1Rdb-w/1908:250564/OpenSSH:8.9.1.0:emanifest.spdx.jsonfalse
  • Avira URL Cloud: safe
unknown
http://www.cs.hut.fi/cryptoLICENSE.txt, NOTICE.txtfalse
    high
    http://www.openssl.org/)NOTICE.txtfalse
      high
      https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH.FixHostFilePermissions.ps1false
        high
        No contacted IP infos
        Joe Sandbox Version:34.0.0 Boulder Opal
        Analysis ID:634742
        Start date and time: 26/05/202218:49:092022-05-26 18:49:09 +02:00
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 6m 0s
        Hypervisor based Inspection enabled:false
        Report type:full
        Sample file name:OpenSSH-Win64.zip
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:26
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:SUS
        Classification:sus24.evad.winZIP@4/57@0/0
        EGA Information:
        • Successful, ratio: 100%
        HDC Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 45
        • Number of non-executed functions: 1
        Cookbook Comments:
        • Found application associated with file extension: .zip
        • Adjust boot time
        • Enable AMSI
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
        • Excluded IPs from analysis (whitelisted): 184.30.21.144
        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
        • Not all processes where analyzed, report is missing behavior information
        No simulations
        No context
        No context
        No context
        No context
        No context
        Process:C:\Windows\SysWOW64\unarchiver.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):388
        Entropy (8bit):5.2529463157768355
        Encrypted:false
        SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk7v:MLF20NaL329hJ5g522r0
        MD5:FF3B761A021930205BEC9D7664AE9258
        SHA1:1039D595C6333358D5F7EE5619FE6794E6F5FDB1
        SHA-256:A3517BC4B1E6470905F9A38466318B302186496E8706F1976F1ED76F3E87AF0F
        SHA-512:1E77D09CF965575EF9800B1EE8947A02D98F88DBFA267300330860757A0C7350AF857A2CB7001C49AFF1F5BD1E0AE6E90F643B27054522CADC730DD14BC3DE11
        Malicious:false
        Reputation:high, very likely benign file
        Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..
        Process:C:\Windows\SysWOW64\unarchiver.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1463
        Entropy (8bit):5.073748979318824
        Encrypted:false
        SSDEEP:24:lZ5wuW//iJo/iJjWIo/iJo/iJUwa/iJfTz/iJo/iJFT3wu/iJbO/iJQwu/iJon/Q:H5K3G6Gb6G6GpUGLrG6Gp3jGbYGQjGiQ
        MD5:42B578A4FA3C29FE14E357659D51BC81
        SHA1:B03CA43A88902BCAAD43DB4F17CE8290F5103D4C
        SHA-256:E5755F1F30F5D76E48F704927ED9D82EFB72AAB76F575AFFF462A55CE61720F2
        SHA-512:4700601FF3DC842E1868B30841E5966DC9EE8BF702416F45CD1E7D6E0C40C5DB27F2AF45AD0A8AE6B2833D07D5A4DD9D5ACB97DE1D53AED3310FF555109FA42C
        Malicious:false
        Reputation:low
        Preview:05/26/2022 6:50 PM: Unpack: C:\Users\user\Desktop\OpenSSH-Win64.zip..05/26/2022 6:50 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\mnewwgmq.irc..05/26/2022 6:50 PM: Received from standard out: ..05/26/2022 6:50 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..05/26/2022 6:50 PM: Received from standard out: ..05/26/2022 6:50 PM: Received from standard out: Scanning the drive for archives:..05/26/2022 6:50 PM: Received from standard out: 1 file, 4389599 bytes (4287 KiB)..05/26/2022 6:50 PM: Received from standard out: ..05/26/2022 6:50 PM: Received from standard out: Extracting archive: C:\Users\user\Desktop\OpenSSH-Win64.zip..05/26/2022 6:50 PM: Received from standard out: --..05/26/2022 6:50 PM: Received from standard out: Path = C:\Users\user\Desktop\OpenSSH-Win64.zip..05/26/2022 6:50 PM: Received from standard out: Type = zip..05/26/2022 6:50 PM: Received from standard out: Physical Size = 4389599..05/26/2022 6:50 PM: Received
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
        Category:dropped
        Size (bytes):16763
        Entropy (8bit):6.065404492832214
        Encrypted:false
        SSDEEP:384:xp8DoVBTN6hEfVJzQS8DAppYUOCOek0+l59LryVj1cmPGzKmGTy+dlhzRWdhtz:xp3BTrdJcS8DAkXCon59vSjpPGzKHuSs
        MD5:5A3FB827CE971668FF504EA78607CA8F
        SHA1:9BD158953AFFC23E5B555CFEBB5F68434D1916A0
        SHA-256:7DA9AC4E50FB8B5AD17E7BE84A043392265365E6B59B929EA3DF1DAA1B6D5AEA
        SHA-512:41BE187B9F504005A55EE0E47E259EC2102ABE3A18DF74B67AF5C710325C8EA14C3803CCB5EE0D07F6D578CE5C9F72B108BB4D63ACBBE9193483EC6D2E039027
        Malicious:false
        Reputation:low
        Preview:.[CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact="High")]..param ()..Set-StrictMode -Version 2.0..If ($PSVersiontable.PSVersion.Major -le 2) {$PSScriptRoot = Split-Path -Parent $MyInvocation.MyCommand.Path}..Import-Module $PSScriptRoot\OpenSSHUtils -Force....#check sshd config file..$sshdConfigPath = join-path $env:ProgramData\ssh "sshd_config"..if(Test-Path $sshdConfigPath -PathType Leaf)..{.. Repair-SshdConfigPermission -FilePath $sshdConfigPath @psBoundParameters..}..else..{.. Write-host "$sshdConfigPath does not exist" -ForegroundColor Yellow..}.. ..#check host keys..<#..$warning = @"..To keep the host private keys secure, it is recommended to register them with ssh-agent following..steps in link https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH...If you choose not to register the keys with ssh-agent, please grant sshd read access to the private host keys after run this script..."@..$prompt = "Did you register host private keys with ssh-agent
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
        Category:dropped
        Size (bytes):15789
        Entropy (8bit):6.053933508080531
        Encrypted:false
        SSDEEP:384:xpliBTN6hEfVJzQS8DAppYUOCOetmIryVj1yhGzKmGTy+dgNh2Bi/Hd4:xpkBTrdJcS8DAkXCAMSj1yhGzKHuSgNO
        MD5:D10EF4800AF32C40BF52EB40D6188F5F
        SHA1:522658FA68CC895A668696B445529EBB730AC452
        SHA-256:7401E1C14A09674BEE5523E8DE56324C51256AA42D38522D52C14DA06DE59C03
        SHA-512:A4667D539386D071342B7F4C0A6DA5D80B24D460DB83A63758879BEED8733A30E76D8DEF4419B6B3BDEA88D080DF62EF3DBF0095739851DF1F6772A605C7D1ED
        Malicious:false
        Reputation:low
        Preview:.[CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact="High")]..param ()..Set-StrictMode -Version 2.0..If ($PSVersiontable.PSVersion.Major -le 2) {$PSScriptRoot = Split-Path -Parent $MyInvocation.MyCommand.Path}....Import-Module $PSScriptRoot\OpenSSHUtils -Force....if(Test-Path ~\.ssh\config -PathType Leaf)..{.. Repair-UserSshConfigPermission -FilePath ~\.ssh\config @psBoundParameters..}....Get-ChildItem ~\.ssh\* -Include "id_rsa","id_dsa","id_ecdsa","id_ed25519" -ErrorAction SilentlyContinue | ForEach-Object {.. Repair-UserKeyPermission -FilePath $_.FullName @psBoundParameters..}........$sshdAdministratorsAuthorizedKeysPath = join-path $env:ProgramData\ssh "administrators_authorized_keys"..if(Test-Path $sshdAdministratorsAuthorizedKeysPath -PathType Leaf) ..{.. if (([bool]([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))).. {.. Repair-AdministratorsAuth
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:UTF-8 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):18903
        Entropy (8bit):5.020777344735464
        Encrypted:false
        SSDEEP:384:bS4M1iGvs3hYlCZrSbrssrsVYh9tserssrsUEdYOz3IrsWrsHPhhl538QYSr1frQ:bNGvShYlurSbzph9tsezKdJYBYhh338/
        MD5:71A86EFE3C2E6588EACEB4FE81C0116A
        SHA1:4244F12071B98484AE82A4AA6BCBC3A0891DC5C3
        SHA-256:83290B39C64E7F64AD1D453E79FD10D371A6BA866B5DF9E3ACE5630826969625
        SHA-512:1BBE70477B577EC491C8A6A65A9DC21EA10D36316CEFACE730869C4E87AD530383D141BE451E1B18661D46C4218A553BE7FDCE5D3FF3DB6E80E7B83490A582B3
        Malicious:false
        Reputation:low
        Preview:This file is part of the OpenSSH software.....The licences which components of this software fall under are as..follows. First, we will summarize and say that all components..are under a BSD licence, or a licence more free than that.....OpenSSH contains no GPL code.....1).. * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland.. * All rights reserved.. *.. * As far as I am concerned, the code I have written for this software.. * can be used freely for any purpose. Any derived versions of this.. * software must be clearly marked as such, and if the derived work is.. * incompatible with the protocol description in the RFC file, it must be.. * called by a name other than "ssh" or "Secure Shell"..... [Tatu continues].. * However, I am not implying to give any licenses to any patents or.. * copyrights held by third parties, and the software includes parts that.. * are not under my direct control. As far as I kn
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:UTF-8 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):36008
        Entropy (8bit):5.194784451961882
        Encrypted:false
        SSDEEP:768:TuNGvShYlurSbzph9tsezKdzNYBYhh338RSBSzpaN+zRO8OQ2iSZGHo5zWsdyCQP:Tp5bzhKezQzSBM338RSBSzpw+zGpiSZw
        MD5:4D2ABBCEC5EC3B565E451A6D9B1AC871
        SHA1:0C6BEDA8BE1A704C0C2615D4A481BACA0E56372D
        SHA-256:2CD5F5D0064BC909DFE0F0FC8F4787882C7C379F2730D89E5FAA0C2BC57C620B
        SHA-512:BFBC9488D34C160BA5B34A425DA9E54E9454028E2C2D825F7E36FAD5C290BDF00F250A5656B0AAEF81BCF8A3ACB62204ADAFAA4F857CD5DC78DD2233F8BAB83B
        Malicious:false
        Reputation:low
        Preview:NOTICES AND INFORMATION..Do Not Translate or Localize....This software incorporates material from third parties. Microsoft makes certain..open source code available at https://3rdpartysource.microsoft.com, or you may..send a check or money order for US $5.00, including the product name, the open..source component name, and version number, to:....Source Code Compliance Team..Microsoft Corporation..One Microsoft Way..Redmond, WA 98052..USA....Notwithstanding any other terms, you may reverse engineer this software to the..extent required to debug changes to any libraries licensed under the GNU Lesser..General Public License.......Component..OpenSSH....Open Source License/Copyright Notice.....The licences which components of this software fall under are as..follows. First, we will summarize and say that all components..are under a BSD licence, or a licence more free than that.....OpenSSH contains no GPL code.....1).. * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland..
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):15495
        Entropy (8bit):6.010725782630624
        Encrypted:false
        SSDEEP:384:cqR36IBTN6hEfVJzQS8DAppYUOCOehPQm4VkvNSL2OkQ1gFDo8q0z:cwBTrdJcS8DAkXCFPQm4m1S31gBo8q0z
        MD5:4F082367519973BA211D9A399F335CFA
        SHA1:47859F55590D30167DCFB8BD72B5626D0ACCAE60
        SHA-256:0A7524630EEB8A75C899F70F7785F18D1E614819969B72607BB98989586D6ECA
        SHA-512:B624B50E630FCF3556C79022149B42DBEC570FDC4307A23BFDAEB284FC6FEF6CCBC5DCC5642242DA9308A121BE6E13AC5D49B1AC0EDA1D89C25FE3F9EA7972FB
        Malicious:false
        Reputation:low
        Preview:#..# Module manifest for module 'OpenSSHUtils'..#..# Generated on: 6/9/2017..#....@{....# Script module or binary module file associated with this manifest..ModuleToProcess = 'OpenSSHUtils.psm1'....# Version number of this module...ModuleVersion = '1.0.0.1'....# ID used to uniquely identify this module..GUID = '08285dee-3d08-476b-8948-1a7e2562c079'....# Author of this module..Author = 'Yanbing Wang'....# Company or vendor of this module..CompanyName = ''....# Copyright statement for this module..Copyright = ''....# Description of the functionality provided by this module..Description = 'Configure OpenSSH for Windows related security settings like file owner and permissions.'....# Functions to export from this module..FunctionsToExport = '*'....# Cmdlets to export from this module..CmdletsToExport = '*'....# Variables to export from this module..VariablesToExport = '*'....# Aliases to export from this module..AliasesToExport = '*'....# Minimum version of the Windows PowerShell engine re
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
        Category:dropped
        Size (bytes):47568
        Entropy (8bit):5.519729641833525
        Encrypted:false
        SSDEEP:768:23fJv6zpJjpxH+XVzO/TdRUe8vEDtXyQr0awJBTrdJcS8DAkXCpliW8phSAwcCzx:23fF61JFxtAawPqDCpEW8rCGf0
        MD5:B9960AA2A05F48A7C8F960E4149B1932
        SHA1:0994EA3D7115C7DF99835C5D70EA5B3D82D87AA3
        SHA-256:A69ECBF6A97C335EE78359953D31DABEBB36FF31688E91677C93BA2428DA8A2B
        SHA-512:9F27F3F7AD0132903E4C95995422746CE8F3A3080B762010639D6A10049A05F21C54E257944AC0C47F765E50950F642BCF345FECB697156C4BEC829FF03401DC
        Malicious:false
        Reputation:low
        Preview:.Set-StrictMode -Version 2.0....<#.. .Synopsis.. Get-UserSID..#>..function Get-UserSID..{ .. [CmdletBinding(DefaultParameterSetName='User')].. param.. ( [parameter(Mandatory=$true, ParameterSetName="User")].. [ValidateNotNull()].. [System.Security.Principal.NTAccount]$User,.. [parameter(Mandatory=$true, ParameterSetName="WellKnownSidType")].. [ValidateNotNull()].. [System.Security.Principal.WellKnownSidType]$WellKnownSidType.. ).. try.. { .. if($PSBoundParameters.ContainsKey("User")).. {.. $sid = $User.Translate([System.Security.Principal.SecurityIdentifier]).. }.. elseif($PSBoundParameters.ContainsKey("WellKnownSidType")).. {.. $sid = New-Object System.Security.Principal.SecurityIdentifier($WellKnownSidType, $null).. }.. $sid .. }.. catch {.. return $null.. }..}....# get the local System user..$
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):23173
        Entropy (8bit):5.149355435873018
        Encrypted:false
        SSDEEP:384:F+ZBj+ZE+ZiR+Zc+Zs+ZiT+ZA+ZW+Zz+Z2T+ZWh+Zb+ZOTy+Zt+ZoV+Z0+ZL/p+D:F+ZJ+ZE+ZU+Zc+Zs+Zk+ZA+ZW+Zz+ZKw
        MD5:12970E53D69C95EF08BFC92D1CD7B1DF
        SHA1:ED5BA1C933AE1A8C2CDD79CC616F38159C7645C6
        SHA-256:6FAD60E3363D298542C5E979D2BBA836DAA25886CF4932FF06D8B320CB3E3298
        SHA-512:361DB29D9757BAA9CCBBE6F7DC152A466B511FD839F43809AA225F9C7F65428A1FCC34FEE47D63040E7522644984EB50C7F457B573F4FF0A5298A80952464A72
        Malicious:false
        Preview:{.. "files": [.. {.. "fileName": "./FixUserFilePermissions.ps1",.. "SPDXID": "SPDXRef-File--FixUserFilePermissions.ps1-522658FA68CC895A668696B445529EBB730AC452",.. "checksums": [.. {.. "algorithm": "SHA256",.. "checksumValue": "7401e1c14a09674bee5523e8de56324c51256aa42d38522d52c14da06de59c03".. },.. {.. "algorithm": "SHA1",.. "checksumValue": "522658fa68cc895a668696b445529ebb730ac452".. }.. ],.. "licenseConcluded": "NOASSERTION",.. "licenseInfoInFiles": [.. "NOASSERTION".. ],.. "copyrightText": "NOASSERTION".. },.. {.. "fileName": "./OpenSSHUtils.psm1",.. "SPDXID": "SPDXRef-File--OpenSSHUtils.psm1-0994EA3D7115C7DF99835C5D70EA5B3D82D87AA3",.. "checksums": [.. {.. "algorithm": "SHA256",.. "checksumValue": "a69ecbf6a97c335ee78359953d31dabebb36ff31688e91677c93ba2428da8a2b".. },.. {.. "algorithm": "SHA1",..
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:data
        Category:dropped
        Size (bytes):128
        Entropy (8bit):2.8835166764016833
        Encrypted:false
        SSDEEP:3:mPlAkw+lRelqNd2l8Nsc1fXb1b2NPlHlzlin:zYjelH8l5I/HZla
        MD5:E7298120DA208BA7C1CDB064D22FD607
        SHA1:0C6C1F00694D6A1440FD4E1F775F9E9F6942191B
        SHA-256:D9B3C5A6FAFF2B41C7C1C3BE406C2016E769D6BE8CD9F752A9C5E8B622843139
        SHA-512:3A346A69AEBB8D383CC585C9236C6AA5CD54D616F1775E0CE15D5417FEC497C30D18C58668A8509D328F753CDE5735C8C6EF1A12F0956DA76C68D4C4C8BD8E54
        Malicious:false
        Preview:6.f.a.d.6.0.e.3.3.6.3.d.2.9.8.5.4.2.c.5.e.9.7.9.d.2.b.b.a.8.3.6.d.a.a.2.5.8.8.6.c.f.4.9.3.2.f.f.0.6.d.8.b.3.2.0.c.b.3.e.3.2.9.8.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
        Category:dropped
        Size (bytes):19792
        Entropy (8bit):6.086517736229093
        Encrypted:false
        SSDEEP:384:hpZ9ODlX1/2EmDtBTN6hEfVJzQS8DAppYUOCOe7Msm4TiGtkvNSL2OkQ1AfyKlty:hp+lX1/2E+tBTrdJcS8DAkXCPMsm4TY0
        MD5:C9CB9201AD670E27911F94BE4C88CAEF
        SHA1:76007632C9C213D49B6EB73FFCEBC4E851D990F5
        SHA-256:8774F08FF0BE6442911BECCF345DBC11A1748479F69C7754B94CA3793F8AAA0E
        SHA-512:9A17FBF53D476245CB7E869BD337895A262147EDB07140ACA4A29DC13E31AEF3BF57E3D96DF9F9E006031D88726B483331E77C4AD37CFA0C548F0BA84F16F679
        Malicious:false
        Preview:.# @manojampalam - authored initial script..# @friism - Fixed issue with invalid SDDL on Set-Acl..# @manojampalam - removed ntrights.exe dependency..# @bingbing8 - removed secedit.exe dependency..# @tessgauthier - added permissions check for %programData%/ssh....[CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact="High")]..param ()..Set-StrictMode -Version 2.0....$ErrorActionPreference = 'Stop'....if (!([bool]([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")))..{.. throw "You must be running as an administrator, please restart as administrator"..}....$scriptpath = $MyInvocation.MyCommand.Path..$scriptdir = Split-Path $scriptpath....$sshdpath = Join-Path $scriptdir "sshd.exe"..$sshagentpath = Join-Path $scriptdir "ssh-agent.exe"..$etwman = Join-Path $scriptdir "openssh-events.man"....if (-not (Test-Path $sshdpath)) {.. throw "sshd.exe is not present in script path"..}
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):1791936
        Entropy (8bit):6.601645424683711
        Encrypted:false
        SSDEEP:49152:FhCUfwqyiYoyhTj4MIqtgyZNpv3Q84IRPyRqmbFc7XDRNvKJ5uvHlnCN:FQhjogjpdUI0RqmbCXDRNvKJ5uvHlnCN
        MD5:B293A9CE2AD06E4B4306054FE031D605
        SHA1:AB7D2FFF899AB4A99C30AB4008AAB598E665AE42
        SHA-256:498826DD49277E7AA858A77E23291BD1F50F6038E6C0EB260CA0DD7CE841E44E
        SHA-512:A69303D911890C93BF6C885BE1AD5D7944FA4380995282D19F5497AB1E2D34DDCBA730000CBBD725FB2D15B01EA23E7CF3C9A89F8CA4B0EFF782BD456F6E02CD
        Malicious:false
        Antivirus:
        • Antivirus: Virustotal, Detection: 0%, Browse
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......d... f. f. f.E..+f.E..&f.E...f.....'f.r..>f.r../f.r..)f.E..'f. f..f..../f....bd....!f...-.!f. fE.!f....!f.Rich f.................PE..d.....9b.........." .....H... ............................................................`A........................................@......(...P....@.......@.......0...'...P...@..0...T............................................`...............................text...`F.......H.................. ..`.rdata...>...`...@...L..............@..@.data............d..................@....pdata.......@......................@..@.rsrc........@......................@..@.reloc...@...P...B..................@..B................................................................................................................................................................................................................
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:ASCII text, with very long lines, with CRLF line terminators
        Category:dropped
        Size (bytes):505872
        Entropy (8bit):4.037129647291093
        Encrypted:false
        SSDEEP:6144:X3LUQQqv7L9/2/EGyNbcrqPb3oTGCPh0gp6M2wENFyqh78XbI1zp:t3oTGCPh0gp6M2wENFyqh78XbI1zp
        MD5:9CE9A353888EDC38E91C591128E13D05
        SHA1:880C023558F6A70436391C9C1F44F0F71D71DAF3
        SHA-256:5B6F298DBADE72544679E1DB50CCA08414DE1EF07E653A0EBE191FC99B39D3B5
        SHA-512:AA4D65ACBE2921605F05C59A515397BB5E80769DF08B59E2600915B3C60EADB76B595544152CE7631E7045A865DB35C3A1866C3849A429571C1188DC528B4174
        Malicious:false
        Preview:# $OpenBSD: moduli,v 1.31 2021/09/28 11:10:05 dtucker Exp $..# Time Type Tests Tries Size Generator Modulus..20210524220022 2 6 100 2047 2 C117F4B631CA032FD2F00AC0D9A5473D8E56DA246FC44FD594BF5657D399E453728341CC920EE9127729637683D268CA3B62F5CB61C7D4F08D3F202D67DBBBD88498043861190549649D82E7793A1874FE0E8ED0B460E3442DD4DFC2301A1B6D8FA36C7CAD084B2FFEF2205E3CE46B030E4618C7B50656BF9FB60592B1FA32E91E0D536A12E601317F0562F547FF44DF33377ABAB2A2991EC99887712BFD9C78BBAA8759B09577706493F50A416F472D6F7B9532959A8899FACEB55B012E8FE8131AA45E1851FFAA3572E489FF4AAE89ECB583C98CC29ADBB1E9677AE2517D6BC1BC13C5A18A232FAD4CDC6E580FEC730D070D49E88A23C528A4985F806ABBEB..20210524220025 2 6 100 2047 2 C117F4B631CA032FD2F00AC0D9A5473D8E56DA246FC44FD594BF5657D399E453728341CC920EE9127729637683D268CA3B62F5CB61C7D4F08D3F202D67DBBBD88498043861190549649D82E7793A1874FE0E8ED0B460E3442DD4DFC2301A1B6D8FA36C7CAD084B2FFEF2205E3CE46B030E4618C7B50656BF9FB60592B1FA32E91E0D536A12E601317F0562F547FF44DF33377ABAB2A2991EC99887712B
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
        Category:dropped
        Size (bytes):3485
        Entropy (8bit):5.375701139663844
        Encrypted:false
        SSDEEP:96:PBK5OvqcKjrtXEilbzYzEiAH3T91eZRLgJ2jzDkHM8VK5:kwKjrR3lbse0jEHM8VK5
        MD5:6F47343492511BE4640FEEA169844855
        SHA1:39F0E1C5FDF3F456EEAF9F1A5696A7CA64617F86
        SHA-256:C36019E53E3045CBA2639BF35ED1E2498E3563B272533E53301165C31AB60199
        SHA-512:27E615C2E2363245C2350D9862400F9644F2068C0490C0C7A29142FC44F6C6CDC1EE3218C60A10B80871BAE9EF2FE22E2BEA20D8B90357BF28F77C6E18DEBC83
        Malicious:false
        Preview:<?xml version="1.0" encoding="utf-8"?>..<instrumentationManifest xsi:schemaLocation="http://schemas.microsoft.com/win/2004/08/events eventman.xsd" xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:trace="http://schemas.microsoft.com/win/2004/08/events/trace">...<instrumentation>....<events>.....<provider name="OpenSSH" guid="{C4B57D35-0636-4BC3-A262-370F249F9802}" symbol="OpenSSH" resourceFileName="%windir%\system32\openssh\ssh-agent.exe" messageFileName="%windir%\system32\openssh\ssh-agent.exe">......<events>.......<event symbol="CRITICAL_Event" value="1" version="0" channel="OpenSSH/Admin" level="win:Critical" template="2StrTemplate" message="$(string.OpenSSH.event.message)">.......</event>.......<event symbol="ERROR_Event" value="2" version="0" channel="OpenSSH/Admin" level="win:Error" template="2StrTempla
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:PE32+ executable (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):396688
        Entropy (8bit):6.479045693528093
        Encrypted:false
        SSDEEP:6144:F86DRFBOEHvF/y3Z4ZqE1Fu/sE6zc95cpo3S7LVv6ZrN:FtvQyt/ypwqOu0NzcQgS7LVqN
        MD5:61C6E2AF0DED3267E696E41779A8524D
        SHA1:2328A116BB6A538CA6C210D6965F3C919EE909F3
        SHA-256:6A9E6B446757855E923EFE138A2BE5F57E01247538C843188664D5C67F15B662
        SHA-512:B216F74FF6C1CE4F6C522974747E6C020C9A626CF0B3E0762524C8A487890A5C562BCAD55FA8AE50CF160E48443F9194589DABDFFC52BC9EBE3EA3E60D28ABF3
        Malicious:false
        Antivirus:
        • Antivirus: Virustotal, Detection: 0%, Browse
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]JG.<$..<$..<$..Z ..<$..Z'..<$..Z!.`<$.2....<$..b'..<$..b!..<$..b ..<$..Z%..<$.7U%..<$..<%.R<$.>b,..<$.>b...<$..<...<$.>b&..<$.Rich.<$.........PE..d...:.:b.........."......H...Z......p..........@..........................................`.................................................$................p...6.......'...........K..p...........................@L...............`...............................text...@F.......H.................. ..`.rdata...?...`...@...L..............@..@.data...............................@....pdata...6...p...8..................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:PE32+ executable (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):340392
        Entropy (8bit):6.465698287452258
        Encrypted:false
        SSDEEP:6144:frMq4Kjv1B5vtN6/Dsni+5mL9xd1etfueAYiayk:DD4KZ6LA09DAueOayk
        MD5:A49125B8B151138F4EE4411797C02FE0
        SHA1:D1510F2B73835F47CD8839F7B9DEAE15329D7229
        SHA-256:004B5D18ADD90884169EE7FD0BF4237FD26D1D93D05ADE776ABB8BBDA2B6DE03
        SHA-512:ECBD39ABA0F00F5990DECCB3330EA1C0C59EF9218B9268B410E9BA3A3CFBC7BB5A4D9ADC3FC8287EC49750C50160CF3E5B78289FCC41E247DCC28C8AACF72F7C
        Malicious:false
        Antivirus:
        • Antivirus: Virustotal, Detection: 0%, Browse
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.^@...@...@...%c..K...%c..F...%c.......5.C...{[..G...{[..\...{[..W...%c..P....l..C...@........[.......[..A...@.e.A....[..A...Rich@...........PE..d.....:b.........."..........:......`..........@....................................r.....`.................................................d....................2.......'...........z..p............................z...............................................text...`........................... ..`.rdata...'.......(..................@..@.data...............................@....pdata...2.......4..................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:PE32+ executable (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):412048
        Entropy (8bit):6.497457728369427
        Encrypted:false
        SSDEEP:6144:IFS69uTyrkipIGMqPx9wV9+K8JbQf+Royy5WKOKXVYZvY:IwWP42sqrwVEy2fy5iKCRY
        MD5:4DFEF756AA758982C44F2768DE3B0E97
        SHA1:94391DE21BFFA18E66F83B773FD7BA0B0EEF3FF9
        SHA-256:836ECBCACE24DF984A92429FF1C321120E1B4870EA21316F15AE8F6B9A2A0511
        SHA-512:B4BBA6D960AC49C64550AD94491140F2EC21D33C53604592A3F5D13C2B2F33D8D4310913918A73229790129B821A3ABE0BBFC823F237FB7528364FF841A374B8
        Malicious:false
        Antivirus:
        • Antivirus: Virustotal, Detection: 0%, Browse
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4..E4..E4..EQ..D8..EQ..D2..EQ..D...E.>.E0..E...D3..E...D(..E...D#..EQ..D$..E...D7..E4..E..E...Dp..E..(E5..E4.@E5..E...D5..ERich4..E........PE..d.....:b.........."......n...........i.........@.............................@......jl....`......................................................... ...........9..."...'...0.......z..p...........................P{...............................................text....m.......n.................. ..`.rdata..rR.......T...r..............@..@.data...@...........................@....pdata...9.......:..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:PE32+ executable (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):540560
        Entropy (8bit):5.899688679656989
        Encrypted:false
        SSDEEP:6144:Fw1FFUU/pjLoAKscaec8xmNP4siQf8lf/0bV4aDb2O7fcCnDtpXEqyGeclzC:F/UBjcW9OmjiC8lf/0LnEhG71C
        MD5:CBBFC99E0EB09375597F605A36E9741D
        SHA1:F65BA309F00B699CCEB2E5F3AD28049780F255B8
        SHA-256:B2E7FAE077AE288A48FE9FDFF4C0D5CCDB62DB552AA901B08CE48CA94402823F
        SHA-512:470668773D7C94FB5B12BC2EF475FF13267F03D2686D7DAB21322779E7C98FD5EFB356A5238296F3620429194ACA85A447355AFBE95C5580216926DCE614DFDE
        Malicious:false
        Antivirus:
        • Antivirus: Virustotal, Detection: 0%, Browse
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........D................................0...}Q>..................................x...............q.......q.........n.....q.......Rich....................PE..d...0.:b.........."..........6......P..........@.........................................`......................................................................?.......'..........`Y..p............................Y...............................................text.............................. ..`.rdata..............................@..@.data...............................@....pdata...?.......@..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:PE32+ executable (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):502696
        Entropy (8bit):5.804206376924295
        Encrypted:false
        SSDEEP:6144:dLtMP31AqV31usKGwvvCRTaVq8lf/X2aDb2O7fcCnDtLeuYfHLWPFyg:dLEmqV31ubGKOOE8lf/bheTsFyg
        MD5:1D63EE1EA6F25DE7250C8B2B1B2D8EA0
        SHA1:F2F1B56DD99D80B26A02784A5A0FB83C13467B10
        SHA-256:405984BEB1B2CA81B7421C0A04473F658082C231833B12FCD4D1AABB1931E29D
        SHA-512:B355AF1C15C4261FEAB0CB31FB946971EE885B81AE379547D0AB53D244D60EFDC588FDD7A066A8D8B0021AEAF92B9272CEED02D1AC2F39760ED01499DC87CCB5
        Malicious:false
        Antivirus:
        • Antivirus: Virustotal, Detection: 0%, Browse
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......<K>.x*P.x*P.x*P..LT.t*P..LS.~*P..LU..*P...{*P.CtS.p*P.CtU.Y*P.CtT.`*P..LQ.h*P..CQ.{*P.x*Q..+P..tX..*P..t..y*P.x*.z*P..tR.y*P.Richx*P.........................PE..d...!.:b.........."......,.....................@..........................................`.................................................|...........x.......d8.......'..........@...p............................................@...............................text....+.......,.................. ..`.rdata..x....@.......0..............@..@.data....K...@.......$..............@....pdata..d8.......:...2..............@..@.rsrc...x............l..............@..@.reloc...............|..............@..B................................................................................................................................................................................................................
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:PE32+ executable (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):759720
        Entropy (8bit):6.115168770350867
        Encrypted:false
        SSDEEP:12288:76XwzzC36mQaxml2uSnZWI1X7brW0pjDA8lf/HJmsmgaDV:GXwzzCKdaxmUnnlfbjc8lf/IslaDV
        MD5:78D903071F47C4D4C36F84D9DDA9635E
        SHA1:702930C009D0336B97FABDB6C609D437F58CF531
        SHA-256:5F6B019EAED1B7FDDF5592E2E84299A9AFA7F806AAD8F082EB55BDE0910FA623
        SHA-512:FD90ED284FAD76F340B49170648F92AA8D1682A3F19DE261E9CBC7C3FC89674E7072E3C217B677A556D955F99247154B8D34E9BF999987B2B45FFA88CE9B996F
        Malicious:true
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2...S...S...S...5...S...5...S...5...S.._....S.......S.......S.......S...5...S..Z:...S...S..QR..S....S..S.=..S...SU..S..S....S..Rich.S..................PE..d.....:b.........."......F.....................@.............................p.......@....`..........................................................P...........[...p...'...`.. ...pl..p............................l...............`...............................text....E.......F.................. ..`.rdata..(....`.......J..............@..@.data...P...........................@....pdata...[.......\..................@..@.rsrc........P.......\..............@..@.reloc.. ....`.......f..............@..B........................................................................................................................................................................................................................
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:PE32+ executable (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):583568
        Entropy (8bit):5.975789913378952
        Encrypted:false
        SSDEEP:12288:y/5eYPNSrplgnF4RW5b6Kepef3TTcepu5d:65e2uEGsb6vpaTTceA5d
        MD5:9BCF218087E935B893E4C010B2E97A26
        SHA1:0E90600759FE79095CAFAEB53E82D4802F03A2F4
        SHA-256:C38F62BD8668CF27EF94641D7D2B7F7CAE4CF3D5D93ACC97E317EEDEFF238064
        SHA-512:9A6CBBB3CA24D6D9240D455ED33D1DFE3A35B5D05F27E89BC876D9031492F75F6583BBD9323C8820ED7E970BBCD3E6D20BB22DB92A7A6C51CE0CCA252B2CA5D0
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........#...B...B...B..$...B..$...B..$...B..Z.Q..B.......B.......B.......B..$...B.._+...B...B..C..V...B..V.i..B...B...B..V....B..Rich.B..........................PE..d...X.:b.........."............................@....................................d.....`..................................................M...............P..8@.......'..............p...........................`................................................text...X........................... ..`.rdata..NV.......X..................@..@.data........p.......Z..............@....pdata..8@...P...B...j..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:PE32+ executable (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):448936
        Entropy (8bit):5.7077563188563385
        Encrypted:false
        SSDEEP:6144:9cdnBP+Um4W5lfmSiBd0v725aDb2O7fcCnDt9emDm9m1a:9cRh+yW51wKD3eWm9m1a
        MD5:DC00854D0913C2801BAE66C550947155
        SHA1:7C900DB08B149DC1009288F224F95500B0913BC4
        SHA-256:0AAD3273F2A3E1043BE9973F8518AF3D91589A9CC9F83F8F64D80E605AF60623
        SHA-512:AC803345FD91AE8EEC3AD8B9BD004864868D27F0232E876E8EE91242824B039A519A64C957A3E8655A1E3142B0F105A2E5E8AE47059CE2AE2F6A0BF88F811C86
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.Qt/.?'/.?'/.?'J.;&#.?'J.<&).?'J.:&..?'.$.'+.?'..<&'.?'..:&..?'..;&7.?'J.>&?.?'..>&,.?'/.>'P.?'..7&v.?'...'..?'/..'..?'..=&..?'Rich/.?'................PE..d...}.:b..........".................@..........@.....................................X....`..................................................R...............@...0.......'..............p...............................................@............................text...8........................... ..`.rdata..4...........................@..@.data...H....p.......`..............@....pdata...0...@...2...n..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:PE32+ executable (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):161704
        Entropy (8bit):6.3151510264374195
        Encrypted:false
        SSDEEP:3072:E13xcggKyy9HGAgjX2NZ+FWv4R5wJ4jZxYvVQyvpv1:gxcgZFGAo2NZVJyZxYvqyRv1
        MD5:DAB97E55323EAAA353CA359B795F213F
        SHA1:7021A48B519DA86A69C6E09E37F84F262D790A70
        SHA-256:6192F41B0F39DC661C6DF5D095E6A4149DAF3CAE1CBA88AA0BAE011CDF67FD8B
        SHA-512:E96E40A869A6B35BFEF454E3FAFC31C2C71EA9CDF89D5EA16925A026F8FC212F95A96AE6CB4F5DADE39A10C8DE7A0E9D6C5719D243C94573486FCCE01D6B5F48
        Malicious:false
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hTmq,5.",5.",5."IS.#(5."IS.#&5."IS.#.5.".k.#+5.".k.#05.".k.#?5."IS.#)5.",5."A5.".k.#.5.".k."-5.",5."-5.".k.#-5."Rich,5."................PE..d.....:b.........."......h...........7.........@..........................................`.....................................................<............`.......P...'..............p...........................p................................................text....f.......h.................. ..`.rdata...............l..............@..@.data...h-...0......................@....pdata.......`.......*..............@..@.rsrc................>..............@..@.reloc...............H..............@..B........................................................................................................................................................................................................................................
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:PE32+ executable (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):601000
        Entropy (8bit):5.914086051930283
        Encrypted:false
        SSDEEP:12288:WtcGkB5rOD0IdmWuIMkThAwf8eoIruKlasiyq:WcGkBhOJdwQhD0eoIruXsW
        MD5:4146465419A11C20260FEEE9E967BA59
        SHA1:5DE509558B719392235516C3CC266D502F980123
        SHA-256:2267C24A85D62DEFAD027A97D685309A86B1929614B6A4CAA560538B27B831FC
        SHA-512:45694ABC9DE853B5FF32AF5047F48AD3887EC5628613F20B3393A4D2D7463B2F2F7EB32E5D9232414695F52CF72C02CA59278B0EB7012643E8836E53C2AA0317
        Malicious:false
        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......g%8.#DV.#DV.#DV.F"R.-DV.F"U.%DV.F"S..DV...'DV...U.+DV...S..DV...R.;DV..-W.!DV.F"W.4DV.#DW..EV..1R..DV...^.uDV....."DV.#D.."DV...T."DV.Rich#DV.................PE..d...^.:b.........."......8.....................@....................................r.....`.........................................................`...........L.......'...p..`...0-..p...................8...(....-...............P...............................text...H7.......8.................. ..`.rdata..\R...P...T...<..............@..@.data....K..........................@....pdata...L.......N..................@..@.tls....i....P......................@....rsrc........`......................@..@.reloc..`....p......................@..B........................................................................................................................................................................
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:PE32+ executable (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):1110952
        Entropy (8bit):6.261524732263485
        Encrypted:false
        SSDEEP:24576:viKH5P9Y3O09u+4WwqQ7wbbFKSQ8lf/CTvZY6mD3YT:aKHDYNp4WwqU8JQ8lf/CTq6eC
        MD5:F7B5901DB979ED5C2BB56A921A6FB647
        SHA1:99641CDF9CFFA8204BE20B996146CF057C8A4649
        SHA-256:ADAA0A026FFDD3740591E735A55A04ED2DFE8C47C3AD00C3A2F14DFDDC3C2098
        SHA-512:A9A6DE5B426E31353F1EFF9BB3FA61775544410E6119B8CB1A020F571DB6F0B9F31A50EA5FB1CC41082FE05291C9ED210BE552266AE610D0C411C803604DB80D
        Malicious:false
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z"..4q..4q..4q..0p..4q..7p..4q..1p..4qCU.q..4q.7p..4q.1p..4q.0p..4q..5p..4qF.5p..4q..5qQ.4qO.<pQ.4qO..q..4q...q..4qO.6p..4qRich..4q................PE..d...y.:b.........."...... ...........s.........@.............................P.......(....`..........................................................0...................'...@.. ....C..p...........................PD...............0..P............................text............ .................. ..`.rdata..0....0.......$..............@..@.data....z... ......................@....pdata...............,..............@..@.rsrc........0......................@..@.reloc.. ....@......................@..B........................................................................................................................................................................................................................
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:PE32+ executable (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):1169808
        Entropy (8bit):6.266813009307705
        Encrypted:false
        SSDEEP:24576:xkhimPSHDrdfv0h996sMwgJzq6nBfj8lf/YfT2uKJ1zWEZFhSdLRMz:ahinDrdE9eHJzqgb8lf/YfTpKJ1Rag
        MD5:99035267646171AB484A9563FBD14C4A
        SHA1:57575208576D744675E70882E9F36EA9EC4E5DAD
        SHA-256:5D61F96ADEF6AA31F2F5145CF938C597D556DBA30D84766F9163B3D0D984F6A8
        SHA-512:48704A2ACFECC089FB3A51D7B027B7D0FD4B42BDA96CF1724EB718893F5E3C356969E92BEFB111A374013F318DFE072D511C53D26AC37750519ED31F0297E77C
        Malicious:false
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Fl..'...'...'..A...'..A...'..A...'..Q....'...y...'...y...'...y...'..A...'..TN...'...'..C&..]y..a'..]y...'...'...'..]y...'..Rich.'..................PE..d.....:b.........."..........>.......B.........@.............................P............`..........................................................0...................'...@..........p...............................................P............................text...*........................... ..`.rdata..<...........................@..@.data...a...........................@....pdata..............................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2297
        Entropy (8bit):5.051831835063015
        Encrypted:false
        SSDEEP:48:HYYcALGVkV8A2hAip8dNixFEuau0IHRNGs9QCpiGGUpv0+8yfmPyRyYrOlt:4YcAi+aAD68d90NGs91np0+8yffRyv
        MD5:D15430C48C8288488596CC19C1226D2F
        SHA1:825CDEC4CF05869C74B01E7A1C8BF3C5E2C45CD8
        SHA-256:99F373A06DFA706F0A8A98D655C776850305B4B1EA3BF9A33FA926897BB15649
        SHA-512:40BBA09D3037310E997BB0951EE69D51440B6FA93ADEEEE75D7590BFC31E625828ACD37906541967312B85F8E539B21A3C1917264BB84F75421A476BF925B99F
        Malicious:false
        Preview:# This is the sshd server system-wide configuration file. See..# sshd_config(5) for more information.....# The strategy used for options in the default sshd_config shipped with..# OpenSSH is to specify options with their default value where..# possible, but leave them commented. Uncommented options override the..# default value.....#Port 22..#AddressFamily any..#ListenAddress 0.0.0.0..#ListenAddress ::....#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key..#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key..#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key..#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key....# Ciphers and keying..#RekeyLimit default none....# Logging..#SyslogFacility AUTH..#LogLevel INFO....# Authentication:....#LoginGraceTime 2m..#PermitRootLogin prohibit-password..#StrictModes yes..#MaxAuthTries 6..#MaxSessions 10....#PubkeyAuthentication yes....# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2..# but this is overridden so installations will only c
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
        Category:dropped
        Size (bytes):15460
        Entropy (8bit):6.0387506709750225
        Encrypted:false
        SSDEEP:384:gcBTN6hEfVJzQS8DAppYUOCOe+Q13zZ0urvzmmlU9/k3HaiabnZ7fGaJ3xmNg:tBTrdJcS8DAkXCKQ1jVrbflUJk3HarbD
        MD5:436BB32020265B6F67F6C73A6D4B4DBB
        SHA1:E3B6E94DCE9EE988AD240F8C42768636DF47BEFE
        SHA-256:BD507A3791255DF7F38E2C8BEB45F3EB5857438D997DE6274899BA10E6D52055
        SHA-512:45C8C8F28FC5B8C89DB0E64D04947028C1060D079A7456D410DA4B6329A415EC9D1B6B318B22F7DF92495CD33F52249EC4E7AAA9ACFF73D28527A5326C029866
        Malicious:false
        Preview:.if (!([bool]([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")))..{.. throw "You must be running as an administrator, please restart as administrator"..}....$scriptpath = $MyInvocation.MyCommand.Path..$scriptdir = Split-Path $scriptpath..$etwman = Join-Path $scriptdir "openssh-events.man"....if (Get-Service sshd -ErrorAction SilentlyContinue) ..{.. Stop-Service sshd.. sc.exe delete sshd 1>$null.. Write-Host -ForegroundColor Green "sshd successfully uninstalled"..}..else {.. Write-Host -ForegroundColor Yellow "sshd service is not installed"..}....# unregister etw provider..wevtutil um `"$etwman`"....if (Get-Service ssh-agent -ErrorAction SilentlyContinue) ..{.. Stop-Service ssh-agent.. sc.exe delete ssh-agent 1>$null.. Write-Host -ForegroundColor Green "ssh-agent successfully uninstalled"..}..else {.. Write-Host -ForegroundColor Yellow "ssh-agent service is n
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:true
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:AppleDouble encoded Macintosh file
        Category:dropped
        Size (bytes):212
        Entropy (8bit):3.9628936575416
        Encrypted:false
        SSDEEP:3:PFoESNt/FPl2Xv/ZlW3//lhlfAlllRTwPXiBWXejJprS5zznpUnl:PgGc/ShwviBB3SRznpUl
        MD5:48C9C4F8EF16D210449FB101CF41506F
        SHA1:015DF35C5D7C35A77543AF7E36BBE49D962DF356
        SHA-256:5E0D95968767C4A299D7F73B503F6B190505C982804F05B3153522A54F943C51
        SHA-512:04323923FECBF48FE0D4E399C475D1251F518CB41F3412B6A16656CA0CCD2EF8E2AF932E2C2DDFC5639C0B59F4F7683448AE2F09028A84EE9D28358DB4EA08CE
        Malicious:false
        Preview:........Mac OS X .........2..................................................ATTR...............<.......................<...com.apple.quarantine.q/0083;628faef4;Safari;4B0F64AE-3999-41D6-8755-18DFC7BAE83B.
        File type:Zip archive data, at least v2.0 to extract
        Entropy (8bit):7.994963496084457
        TrID:
        • ZIP compressed archive (8000/1) 99.91%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
        File name:OpenSSH-Win64.zip
        File size:4389599
        MD5:2b18fe81c9b573a60d2adad72c44863d
        SHA1:25e3848b88f8edc1a7ae005870bb2af897349451
        SHA256:8b3b9782522132b16e024ae8e0b17ad2cb16a964dc84588c3bf05f275c733afd
        SHA512:bb99c5265283996078b7f5148cae864593c566f84da329d9606bb10e808f1c20a052da09bab76f97909e72d19dfa76afed35db0ce445dee26c73336c037b71be
        SSDEEP:98304:1Ya8MbUcenXudElabcVHLLKrs8hE1Wj4Ws9BVNeJf/WX78Po:1YaFbinXudElSWixhECoBVNgf/WXgA
        TLSH:721633BC5D8F00937EB29938E6C954D0DD863424DA23F947BA6893E31973DFAE12811D
        File Content Preview:PK.........M.T.............. .OpenSSH-Win64/UT......b...b...bux.............PK.........M.T.............. .__MACOSX/._OpenSSH-Win64UT......b...b^..bux.............c`.cg`b`.MLV..V.P.....'...." ...0...CB..L...@l....!......XP...WX.X..W....P.o``almfd....fb....
        Icon Hash:00828e8e8686b000
        No network behavior found
        050100s020406080100

        Click to jump to process

        050100s0.0051015MB

        Click to jump to process

        • File
        • Registry

        Click to dive into process behavior distribution

        Target ID:0
        Start time:18:50:18
        Start date:26/05/2022
        Path:C:\Windows\SysWOW64\unarchiver.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\OpenSSH-Win64.zip
        Imagebase:0x4d0000
        File size:10752 bytes
        MD5 hash:F737DE1D0C50E20064ACCB6647B50F6C
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Reputation:moderate
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        Target ID:1
        Start time:18:50:19
        Start date:26/05/2022
        Path:C:\Windows\SysWOW64\7za.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\mnewwgmq.irc" "C:\Users\user\Desktop\OpenSSH-Win64.zip
        Imagebase:0x1170000
        File size:289792 bytes
        MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Target ID:2
        Start time:18:50:20
        Start date:26/05/2022
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7c9170000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Execution Graph

        Execution Coverage

        Dynamic/Packed Code Coverage

        Signature Coverage

        Execution Coverage:11.3%
        Dynamic/Decrypted Code Coverage:100%
        Signature Coverage:5%
        Total number of Nodes:80
        Total number of Limit Nodes:5
        Show Legend
        Hide Nodes/Edges
        execution_graph 2810 dca25e 2811 dca28a SetErrorMode 2810->2811 2812 dca2b3 2810->2812 2813 dca29f 2811->2813 2812->2811 2814 dcae1e 2815 dcae7c 2814->2815 2816 dcae4a FindClose 2814->2816 2815->2816 2817 dcae5f 2816->2817 2887 dca85f 2888 dca88e WriteFile 2887->2888 2890 dca8f5 2888->2890 2825 dcaa52 2826 dcaaa2 CreatePipe 2825->2826 2827 dcaaaa 2826->2827 2907 dcb70c 2908 dcb72e MessageBoxW 2907->2908 2910 dcb788 2908->2910 2835 dca88e 2837 dca8c3 WriteFile 2835->2837 2838 dca8f5 2837->2838 2891 dca448 2892 dca46a CreateDirectoryW 2891->2892 2894 dca4b7 2892->2894 2911 dca504 2914 dca52a CreateFileW 2911->2914 2913 dca5b1 2914->2913 2863 dcb042 2864 dcb06e GetSystemInfo 2863->2864 2865 dcb0a4 2863->2865 2866 dcb07c 2864->2866 2865->2864 2867 dca642 2868 dca6ad 2867->2868 2869 dca66e FindCloseChangeNotification 2867->2869 2868->2869 2870 dca67c 2869->2870 2895 dcb643 2896 dcb692 EnumThreadWindows 2895->2896 2898 dcb6f0 2896->2898 2899 dca77c 2901 dca7ae SetFilePointer 2899->2901 2902 dca812 2901->2902 2915 dca23c 2916 dca25e SetErrorMode 2915->2916 2918 dca29f 2916->2918 2879 dca6bb 2880 dca6ee GetFileType 2879->2880 2882 dca750 2880->2882 2871 dcadf7 2874 dcae1e FindClose 2871->2874 2873 dcae5f 2874->2873 2903 dcab70 2904 dcab96 DuplicateHandle 2903->2904 2906 dcac1b 2904->2906 2919 dca630 2920 dca642 FindCloseChangeNotification 2919->2920 2922 dca67c 2920->2922 2828 dca172 2829 dca1c2 FindNextFileW 2828->2829 2830 dca1ca 2829->2830 2839 dca7ae 2841 dca7e3 SetFilePointer 2839->2841 2842 dca812 2841->2842 2847 dca46a 2848 dca490 CreateDirectoryW 2847->2848 2850 dca4b7 2848->2850 2851 dca52a 2852 dca562 CreateFileW 2851->2852 2854 dca5b1 2852->2854 2855 dcb466 2856 dcb4a4 DuplicateHandle 2855->2856 2858 dcb4dc 2855->2858 2857 dcb4b2 2856->2857 2858->2856 2927 dca120 2928 dca172 FindNextFileW 2927->2928 2930 dca1ca 2928->2930 2931 dcb020 2932 dcb042 GetSystemInfo 2931->2932 2934 dcb07c 2932->2934 2875 dca9e2 2876 dcaa52 CreatePipe 2875->2876 2878 dcaaaa 2876->2878

        Executed Functions

        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.309712896.0000000000DC2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC2000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dc2000_unarchiver.jbxd
        Similarity
        • API ID:
        • String ID: 1:r<$I}q$rhq}$rxq}
        • API String ID: 0-2603924934
        • Opcode ID: e5b2fcf1fc4e5831ad224fef2c9c645de09426e1c468566ac8fec0824a2b0ca1
        • Instruction ID: bd4dabb32dd1086333b93eb809aef14f2798615a7faff70933bd59342c8b88d0
        • Opcode Fuzzy Hash: e5b2fcf1fc4e5831ad224fef2c9c645de09426e1c468566ac8fec0824a2b0ca1
        • Instruction Fuzzy Hash: E68245A654E7C65FCB178B384864AA57FB29E27320B5E05CFD4C1CF0A3D519880AC776
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 413 27902a8-27902d1 414 27902d8-2790377 413->414 415 27902d3 413->415 420 2790379 414->420 421 279037e-27903a2 414->421 415->414 420->421 423 27905c9-27905e9 421->423 424 27903a8-27903c3 421->424 427 27905ef-27905fd 423->427 428 27909c3-27909d5 423->428 429 27903c9-27905b1 424->429 430 27905b3-27905c1 424->430 431 27905ff 427->431 432 2790604-2790612 427->432 438 2790a2d-2790a36 428->438 436 27905c2-27909d5 429->436 430->436 431->432 518 2790618 call 27d05cf 432->518 519 2790618 call 2790b10 432->519 520 2790618 call 27d05f6 432->520 436->438 441 279061e-27906b9 call 2790b10 456 27906bb 441->456 457 27906c0-27907bd call 2790c68 call 2790b10 * 2 441->457 456->457 478 2790978-279098e 457->478 479 27907c2-27907cb 478->479 480 2790994-27909a5 478->480 481 27907cd 479->481 482 27907d2-27907eb 479->482 483 27909bf-27909c1 480->483 484 27909a7-27909be 480->484 481->482 485 27907f1-2790810 482->485 486 2790964-279096a 482->486 484->483 492 279081b-2790827 485->492 487 279096c 486->487 488 2790971-2790975 486->488 487->488 488->478 493 2790829-279082b 492->493 494 279082d 492->494 495 2790832-2790839 493->495 494->495 496 279083f-2790854 495->496 497 2790940-2790962 495->497 498 27908c8-27908de 496->498 506 2790963 497->506 500 27908e4-27908f5 498->500 501 2790856-279085f 498->501 504 279093c-279093e 500->504 505 27908f7-2790931 500->505 502 2790861 501->502 503 2790866-27908b9 501->503 502->503 516 27908bb-27908c3 503->516 517 27908c4-27908c5 503->517 504->506 514 2790938-279093b 505->514 515 2790933 505->515 506->486 514->504 515->514 516->517 517->498 518->441 519->441 520->441
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.310018177.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_2790000_unarchiver.jbxd
        Similarity
        • API ID:
        • String ID: :@yq$u]Uq^
        • API String ID: 0-3011789812
        • Opcode ID: 7712c664aaa8a68278000766c276182b4c0992fb23c350b4daa3ec88957d1637
        • Instruction ID: a3e3b22f05810b8c444995f9f8b6d54e859c613b0efe64079df497c221950347
        • Opcode Fuzzy Hash: 7712c664aaa8a68278000766c276182b4c0992fb23c350b4daa3ec88957d1637
        • Instruction Fuzzy Hash: 90221A74E11218CFDB64DFA5E984BAEBBB2FF99305F10956AD809AB354C7305981CF10
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • GetSystemInfo.KERNELBASE(?), ref: 00DCB074
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: InfoSystem
        • String ID:
        • API String ID: 31276548-0
        • Opcode ID: e5e34ac6f60d4a1c3e3f7e71dd39ed3095da7e9e1dce0d73f46901a361cd18fc
        • Instruction ID: 98909538e85867aec0a216029e172e4aff2933b45cc5fd49ef08ea7694d9e516
        • Opcode Fuzzy Hash: e5e34ac6f60d4a1c3e3f7e71dd39ed3095da7e9e1dce0d73f46901a361cd18fc
        • Instruction Fuzzy Hash: 3D018B318042449FDB20CF55E886B66FBA4EF45321F18C4ABDD898B256D279E508DAB2
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 525 dcb0b2-dcb157 530 dcb1af-dcb1b4 525->530 531 dcb159-dcb161 DuplicateHandle 525->531 530->531 532 dcb167-dcb179 531->532 534 dcb17b-dcb1ac 532->534 535 dcb1b6-dcb1bb 532->535 535->534
        APIs
        • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 00DCB15F
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: DuplicateHandle
        • String ID:
        • API String ID: 3793708945-0
        • Opcode ID: 2c9e655e316bcfbb11a73a2015ae07e9fe02746570d478f89663ccf0cc861c5c
        • Instruction ID: c7ff2ba4f06c61b644aebe4eb8bdd32f5417e32fd9ad428eb6aaf1ff5f3f39c4
        • Opcode Fuzzy Hash: 2c9e655e316bcfbb11a73a2015ae07e9fe02746570d478f89663ccf0cc861c5c
        • Instruction Fuzzy Hash: C531C6724043446FEB228F25DC45FA6BFBCEF45320F08889EED85DB152D224A909DB71
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 539 dcab70-dcac0b 544 dcac0d-dcac15 DuplicateHandle 539->544 545 dcac63-dcac68 539->545 547 dcac1b-dcac2d 544->547 545->544 548 dcac2f-dcac60 547->548 549 dcac6a-dcac6f 547->549 549->548
        APIs
        • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 00DCAC13
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: DuplicateHandle
        • String ID:
        • API String ID: 3793708945-0
        • Opcode ID: 4b15c780b42f13d66f41bf9a22173bd91b5a55b32c5c2c737ea53f0134255325
        • Instruction ID: 858498c315c036b4267d83be12ce42a3aa9bb76b327f335c80ee6b62ee3324ff
        • Opcode Fuzzy Hash: 4b15c780b42f13d66f41bf9a22173bd91b5a55b32c5c2c737ea53f0134255325
        • Instruction Fuzzy Hash: 7231B3724043446FEB228B65DC44FA7BFACEF45310F0888AEF985DB152D224A919DB71
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 553 dca504-dca582 557 dca584 553->557 558 dca587-dca593 553->558 557->558 559 dca598-dca5a1 558->559 560 dca595 558->560 561 dca5f2-dca5f7 559->561 562 dca5a3-dca5c7 CreateFileW 559->562 560->559 561->562 565 dca5f9-dca5fe 562->565 566 dca5c9-dca5ef 562->566 565->566
        APIs
        • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00DCA5A9
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: 64137d3638bf11ca05a67bbebad96da47c5baff83214719ff9f7f5fde0dce91f
        • Instruction ID: 1c59d703686e3e5dff039343b11afffaad535f920043cf24ab56e8487f1f316a
        • Opcode Fuzzy Hash: 64137d3638bf11ca05a67bbebad96da47c5baff83214719ff9f7f5fde0dce91f
        • Instruction Fuzzy Hash: 5E316BB1504384AFE722CF69DC44F66BFE8EF45314F0884AEE9858B252D275E909CB71
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 569 dca9e2-dcaad3 CreatePipe
        APIs
        • CreatePipe.KERNELBASE(?,00000E2C,?,?), ref: 00DCAAA2
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: CreatePipe
        • String ID:
        • API String ID: 2719314638-0
        • Opcode ID: 06e751d8d79c70750df34312d21ea7fda386a80e462089e6525a4ca3a1edc685
        • Instruction ID: b9dc48128ceff2dc1548a7ec52ee3268662ef4298a44c29756edbc7ebcda8f1a
        • Opcode Fuzzy Hash: 06e751d8d79c70750df34312d21ea7fda386a80e462089e6525a4ca3a1edc685
        • Instruction Fuzzy Hash: 8F318C6240E3C06FD7138B718C65AA5BFB4AF47610F1E84DBD8C48F1A3D2696909C762
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 574 dca120-dca1f3 FindNextFileW
        APIs
        • FindNextFileW.KERNELBASE(?,00000E2C,?,?), ref: 00DCA1C2
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: FileFindNext
        • String ID:
        • API String ID: 2029273394-0
        • Opcode ID: f7e2872476145dc18584c26e08a62ec24f8a20bd0ca61ec9acf83fdc530e66ff
        • Instruction ID: 98342a24944887c27397cb6b25b0e87f86d0de93999f04738d3a3fcee0e736bf
        • Opcode Fuzzy Hash: f7e2872476145dc18584c26e08a62ec24f8a20bd0ca61ec9acf83fdc530e66ff
        • Instruction Fuzzy Hash: 5021A17140D3C06FD7138B759C51BA6BFB4EF87610F1981DBD8848F293D225A919C7A2
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 592 dcb0e2-dcb157 596 dcb1af-dcb1b4 592->596 597 dcb159-dcb161 DuplicateHandle 592->597 596->597 598 dcb167-dcb179 597->598 600 dcb17b-dcb1ac 598->600 601 dcb1b6-dcb1bb 598->601 601->600
        APIs
        • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 00DCB15F
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: DuplicateHandle
        • String ID:
        • API String ID: 3793708945-0
        • Opcode ID: 49d40fe6f4118d056e5b8402a46d9a7f0e58b82a790a86e0015bc3b942801458
        • Instruction ID: 5d970f93101212877382a5ffdfb060e693390918ecc0ba9ed6c16f2f3157ddde
        • Opcode Fuzzy Hash: 49d40fe6f4118d056e5b8402a46d9a7f0e58b82a790a86e0015bc3b942801458
        • Instruction Fuzzy Hash: C121B072500204AFEB219F65DC45FAAFBACEF04320F18886EED859B151D630E5099B71
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 579 dcab96-dcac0b 583 dcac0d-dcac15 DuplicateHandle 579->583 584 dcac63-dcac68 579->584 586 dcac1b-dcac2d 583->586 584->583 587 dcac2f-dcac60 586->587 588 dcac6a-dcac6f 586->588 588->587
        APIs
        • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 00DCAC13
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: DuplicateHandle
        • String ID:
        • API String ID: 3793708945-0
        • Opcode ID: 63e57c1c7bebf2bdda3c8778b457c2faf30a3e2f6d277d533980f328630c107f
        • Instruction ID: 3817f1f45e06b95b230c462b42537066d86bd2cde42be868773ae3929d33aca7
        • Opcode Fuzzy Hash: 63e57c1c7bebf2bdda3c8778b457c2faf30a3e2f6d277d533980f328630c107f
        • Instruction Fuzzy Hash: 7E21C472500208AFEB21CF69DC85F6AFBACEF04310F14886EED859B151D670E5098B71
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 605 dca77c-dca802 609 dca804-dca824 SetFilePointer 605->609 610 dca846-dca84b 605->610 613 dca84d-dca852 609->613 614 dca826-dca843 609->614 610->609 613->614
        APIs
        • SetFilePointer.KERNELBASE(?,00000E2C,18983FF3,00000000,00000000,00000000,00000000), ref: 00DCA80A
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: FilePointer
        • String ID:
        • API String ID: 973152223-0
        • Opcode ID: 17fe3ab7eddb6f7e21d596cd9139f78b4b5b80b41d27287081358f1bcf5108b1
        • Instruction ID: 498fc5782f4563094aa56440dd94921b1ec0b525f0bff314120445c3145b3bb0
        • Opcode Fuzzy Hash: 17fe3ab7eddb6f7e21d596cd9139f78b4b5b80b41d27287081358f1bcf5108b1
        • Instruction Fuzzy Hash: 1421A4714083846FE7228B24DC44FA6BFB8EF46714F0984EAED849F153D265A909CB71
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 617 dca85f-dca8e5 621 dca929-dca92e 617->621 622 dca8e7-dca907 WriteFile 617->622 621->622 625 dca909-dca926 622->625 626 dca930-dca935 622->626 626->625
        APIs
        • WriteFile.KERNELBASE(?,00000E2C,18983FF3,00000000,00000000,00000000,00000000), ref: 00DCA8ED
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: FileWrite
        • String ID:
        • API String ID: 3934441357-0
        • Opcode ID: 7bcd4b4dc7951f9c6a825ff7f9b0711fd7bf0c6732407bde5d20173ea511e25d
        • Instruction ID: 1d2e11c095c6b60187e3d2124e8609a5a1577bf724d3f5ae7b9d4055e3b4d056
        • Opcode Fuzzy Hash: 7bcd4b4dc7951f9c6a825ff7f9b0711fd7bf0c6732407bde5d20173ea511e25d
        • Instruction Fuzzy Hash: 7B219271409384AFDB228F65DC45F96BFB8EF46310F0884DBE9849F152C275A509CB72
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 629 dca52a-dca582 632 dca584 629->632 633 dca587-dca593 629->633 632->633 634 dca598-dca5a1 633->634 635 dca595 633->635 636 dca5f2-dca5f7 634->636 637 dca5a3-dca5ab CreateFileW 634->637 635->634 636->637 638 dca5b1-dca5c7 637->638 640 dca5f9-dca5fe 638->640 641 dca5c9-dca5ef 638->641 640->641
        APIs
        • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00DCA5A9
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: 6644dff99c1419926584ab1ecae7df0008df394932ab1d9a13e28d1e1f9a60dd
        • Instruction ID: 4989501c9b79ce3438f44b1054a2f3cf6890273759aa780ddc85df300fdb87ae
        • Opcode Fuzzy Hash: 6644dff99c1419926584ab1ecae7df0008df394932ab1d9a13e28d1e1f9a60dd
        • Instruction Fuzzy Hash: 7721B0B1500244AFEB21CF69DC45F66FBE8EF08314F18846EE9858B252D771E905CB72
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 644 dcb643-dcb68f 645 dcb692-dcb6ea EnumThreadWindows 644->645 647 dcb6f0-dcb706 645->647
        APIs
        • EnumThreadWindows.USER32(?,00000E2C,?,?), ref: 00DCB6E2
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: EnumThreadWindows
        • String ID:
        • API String ID: 2941952884-0
        • Opcode ID: 21a3d7eea28854c87fde60f9f6bacb4f34ac15aebe0cc90a59ffc374a5ab7df8
        • Instruction ID: 4689c9191639bed620e42d2bdedada86d7005ecfd23d7c12d885688e9027aea4
        • Opcode Fuzzy Hash: 21a3d7eea28854c87fde60f9f6bacb4f34ac15aebe0cc90a59ffc374a5ab7df8
        • Instruction Fuzzy Hash: 9D21747150E7C05FD7138B258C55A26BFB4EF47610F0A81DFD8848F593D628A919C7B2
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 648 dca6bb-dca739 652 dca76e-dca773 648->652 653 dca73b-dca74e GetFileType 648->653 652->653 654 dca775-dca77a 653->654 655 dca750-dca76d 653->655 654->655
        APIs
        • GetFileType.KERNELBASE(?,00000E2C,18983FF3,00000000,00000000,00000000,00000000), ref: 00DCA741
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: FileType
        • String ID:
        • API String ID: 3081899298-0
        • Opcode ID: 88a8f83a83fd52c066ddff75353e8554ddfb770d32a2cf3ac7bbfe7ffe974fc0
        • Instruction ID: 02ca4b2be5327788ee7c0f9f0c212603639df027b180ae5c98cb737adf784530
        • Opcode Fuzzy Hash: 88a8f83a83fd52c066ddff75353e8554ddfb770d32a2cf3ac7bbfe7ffe974fc0
        • Instruction Fuzzy Hash: 8021C6754083846FE7128B25DC41BA6BFBCEF46710F1880DBE9849B193D264A909DB71
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 659 dcb429-dcb4a2 661 dcb4dc-dcb4e1 659->661 662 dcb4a4-dcb4ac DuplicateHandle 659->662 661->662 663 dcb4b2-dcb4c4 662->663 665 dcb4c6-dcb4d9 663->665 666 dcb4e3-dcb4e8 663->666 666->665
        APIs
        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DCB4AA
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: DuplicateHandle
        • String ID:
        • API String ID: 3793708945-0
        • Opcode ID: def7d057b3729ab0c724b494e68d66727a297866d99436ad134b81dba4bbc813
        • Instruction ID: ea44b2a14faf39cab2559971be6bf07bae497ff88c6cd20d46a18f0f4110a46b
        • Opcode Fuzzy Hash: def7d057b3729ab0c724b494e68d66727a297866d99436ad134b81dba4bbc813
        • Instruction Fuzzy Hash: 582160724093C0AFDB238F60DC54A52BFB4EF46224F0D84DAE9858B163D2799518DB61
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 668 dca448-dca48e 670 dca490 668->670 671 dca493-dca499 668->671 670->671 672 dca49e-dca4a7 671->672 673 dca49b 671->673 674 dca4e8-dca4ed 672->674 675 dca4a9-dca4c9 CreateDirectoryW 672->675 673->672 674->675 678 dca4ef-dca4f4 675->678 679 dca4cb-dca4e7 675->679 678->679
        APIs
        • CreateDirectoryW.KERNELBASE(?,?), ref: 00DCA4AF
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: CreateDirectory
        • String ID:
        • API String ID: 4241100979-0
        • Opcode ID: 45542cd1d45c38d5a5d8f1c998b94925743ba903bfe064d043f1e643eaec830b
        • Instruction ID: 540f439d2c8894a066ac10b86ab8ba4adb33ea2d8b5486667d582ea3e355ffb2
        • Opcode Fuzzy Hash: 45542cd1d45c38d5a5d8f1c998b94925743ba903bfe064d043f1e643eaec830b
        • Instruction Fuzzy Hash: 431163715092859FD715CB29DC49B56BFE8EF46220F0984AEED49CB252D264E804CB71
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • WriteFile.KERNELBASE(?,00000E2C,18983FF3,00000000,00000000,00000000,00000000), ref: 00DCA8ED
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: FileWrite
        • String ID:
        • API String ID: 3934441357-0
        • Opcode ID: 4e15b615a716951cf36a0754e4033dcaee1eb07cd11b98928d47dcfeb7b25ca5
        • Instruction ID: de217cec1ea99d79701dda932d68628bafb442236c4c6b7f2197d7f76d66b10d
        • Opcode Fuzzy Hash: 4e15b615a716951cf36a0754e4033dcaee1eb07cd11b98928d47dcfeb7b25ca5
        • Instruction Fuzzy Hash: D811C471400204AFEB21CF59DC45FA6FBA8EF44310F14846AED859B255D675A509CF72
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • MessageBoxW.USER32(?,?,?,?), ref: 00DCB779
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: Message
        • String ID:
        • API String ID: 2030045667-0
        • Opcode ID: fdf62de7be9bf91702afc2a8efc362c6c6af9f705bddb4eea8d04559c0e1929c
        • Instruction ID: f8a978c3970e687476e475e8196d72a66681515cd5a56efc9c8c1354976075ba
        • Opcode Fuzzy Hash: fdf62de7be9bf91702afc2a8efc362c6c6af9f705bddb4eea8d04559c0e1929c
        • Instruction Fuzzy Hash: BF118EB1504384AFEB218A15DC45F62FFA8EF55320F08849EEC848B293D225E908CB71
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • SetFilePointer.KERNELBASE(?,00000E2C,18983FF3,00000000,00000000,00000000,00000000), ref: 00DCA80A
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: FilePointer
        • String ID:
        • API String ID: 973152223-0
        • Opcode ID: 5cead526e6050cf7eaa60108d0da96cb51b90697a20a4f3e6eab85cc6976333b
        • Instruction ID: 5e85dcd348e01f1323c62457a688a23c00a69a6624b391cd814d78423e7d231e
        • Opcode Fuzzy Hash: 5cead526e6050cf7eaa60108d0da96cb51b90697a20a4f3e6eab85cc6976333b
        • Instruction Fuzzy Hash: 49110A71400244AFEB21CF58DC45FA6FBECEF44310F14C46AED459B245D274A509CB72
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: CloseFind
        • String ID:
        • API String ID: 1863332320-0
        • Opcode ID: b92d3c8ad37af1874f3ed542772afb34b711f5bcc205e38c69e6b0a12e35a1c7
        • Instruction ID: 214331ce6b3542d53a4a1e6a6cb35c3ce38cadd84e6691aa5d24a76ded2ccf75
        • Opcode Fuzzy Hash: b92d3c8ad37af1874f3ed542772afb34b711f5bcc205e38c69e6b0a12e35a1c7
        • Instruction Fuzzy Hash: 651191715093859FD7128B29DC45B52BFB8EF46220F0D84DFED858B263C269A848CB62
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • GetFileType.KERNELBASE(?,00000E2C,18983FF3,00000000,00000000,00000000,00000000), ref: 00DCA741
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: FileType
        • String ID:
        • API String ID: 3081899298-0
        • Opcode ID: b5fc943668b2b6fbbcb47fc137b1f422cb7dd7fdd2fab4f11df6b8e69235b60c
        • Instruction ID: 0675f5a3a84e30259a9deb3654e16f608f112e533601bc03478e8e41f1fda1c1
        • Opcode Fuzzy Hash: b5fc943668b2b6fbbcb47fc137b1f422cb7dd7fdd2fab4f11df6b8e69235b60c
        • Instruction Fuzzy Hash: 4201F971500244AFE721CB19DC85F66FBACEF44721F18C09AED459B285D674A505CFB2
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • CreateDirectoryW.KERNELBASE(?,?), ref: 00DCA4AF
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: CreateDirectory
        • String ID:
        • API String ID: 4241100979-0
        • Opcode ID: 2868af6dd4c24caaef4e073c04d8645184b0c269fd463b3231e5f1f7a2f6f4e5
        • Instruction ID: 0ca2114b63294287027200ca50fa84a1219ad6fc344d6d728f5ebab3b99a4ff7
        • Opcode Fuzzy Hash: 2868af6dd4c24caaef4e073c04d8645184b0c269fd463b3231e5f1f7a2f6f4e5
        • Instruction Fuzzy Hash: 301170716042458FDB24CF29D889B56FBD8AB04324F1884AEDD49CB242D2B4E804CB72
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • GetSystemInfo.KERNELBASE(?), ref: 00DCB074
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: InfoSystem
        • String ID:
        • API String ID: 31276548-0
        • Opcode ID: cec92a18b992ef6bfcd00f99a0ae7c9bbde21dc60ae8073b024687706df4fd0f
        • Instruction ID: c32c3176b152d23bdd4031f4132a50f81e47e0c55c17934e46ac522011bd5f3d
        • Opcode Fuzzy Hash: cec92a18b992ef6bfcd00f99a0ae7c9bbde21dc60ae8073b024687706df4fd0f
        • Instruction Fuzzy Hash: BA115E714093849FDB128F15DC85B56BFA4EF56220F1884EBED858F252D279A908CB62
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • SetErrorMode.KERNELBASE(?), ref: 00DCA290
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: ErrorMode
        • String ID:
        • API String ID: 2340568224-0
        • Opcode ID: e0cb42c4ad7b6631a2b32e6f811059909aec57223abc355c8aa9f84cf9886b80
        • Instruction ID: ccf30ff1b53b2bd7f3ffd37b7b8b5d0baa53e97863902d7693c8ba4bc384876a
        • Opcode Fuzzy Hash: e0cb42c4ad7b6631a2b32e6f811059909aec57223abc355c8aa9f84cf9886b80
        • Instruction Fuzzy Hash: 2D1165714093849FD7128B15DC44B62FFB4DF46624F0880DFED858B253D275A908DBB2
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • FindCloseChangeNotification.KERNELBASE(?), ref: 00DCA674
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: ChangeCloseFindNotification
        • String ID:
        • API String ID: 2591292051-0
        • Opcode ID: 04df7575ecbfab5d8409c0742d4851e423797331f22d9743d4e5c1ab2c1204f2
        • Instruction ID: 271fb5932191b9860e899664b18433fdc0f2848b972f9dde30dca3efa506fd44
        • Opcode Fuzzy Hash: 04df7575ecbfab5d8409c0742d4851e423797331f22d9743d4e5c1ab2c1204f2
        • Instruction Fuzzy Hash: DB01B9715002459FDB11CF15DC85B66FBA8EF45320F08C46EED498B251C275A808CB71
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • CreatePipe.KERNELBASE(?,00000E2C,?,?), ref: 00DCAAA2
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: CreatePipe
        • String ID:
        • API String ID: 2719314638-0
        • Opcode ID: 47f5ebee2f1711c32f84fb1bd7ea19e0a19814ee8906427d4b56b4b352c9115e
        • Instruction ID: 48c6fe369a8b86c4e6856baba389c4fba211901b2399b600e21c27c2f719dbb5
        • Opcode Fuzzy Hash: 47f5ebee2f1711c32f84fb1bd7ea19e0a19814ee8906427d4b56b4b352c9115e
        • Instruction Fuzzy Hash: E501B171500600ABD750DF16DC86B66FBA8FB88B20F14812AED088B641D631B515CBE1
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • FindNextFileW.KERNELBASE(?,00000E2C,?,?), ref: 00DCA1C2
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: FileFindNext
        • String ID:
        • API String ID: 2029273394-0
        • Opcode ID: 2e86d9ffedf6384645ad1908201bdc06acf51206769ca8df170265100770d07c
        • Instruction ID: 8e07800503fd478ec6f24017f9098857ab4ecd9910e92a944b80d63ee29d6509
        • Opcode Fuzzy Hash: 2e86d9ffedf6384645ad1908201bdc06acf51206769ca8df170265100770d07c
        • Instruction Fuzzy Hash: D401D471500600AFD710DF16DC86B76FBA8FB88B20F14816AED088B741D635F515CBE1
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • MessageBoxW.USER32(?,?,?,?), ref: 00DCB779
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: Message
        • String ID:
        • API String ID: 2030045667-0
        • Opcode ID: 3e1eb831d30244c0821ef351f021b8f03df090e8658c198d5adc028616598a4d
        • Instruction ID: dae2207589a4b363c0657ea43bc26f145d8a54f5502b967284734b962a3cbf33
        • Opcode Fuzzy Hash: 3e1eb831d30244c0821ef351f021b8f03df090e8658c198d5adc028616598a4d
        • Instruction Fuzzy Hash: FF018C759003059FEB20CF15DC86B26FBE8EF54321F08849EDC858B296D371E809DA71
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DCB4AA
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: DuplicateHandle
        • String ID:
        • API String ID: 3793708945-0
        • Opcode ID: 1bab65d34eab59e6585b00a8c8b3de1757555f5ad014edb5101f773132fe0458
        • Instruction ID: 570e559a8eff31a87fe45839c56b0cacfa7d727dd8374a72efc7fa330bff5501
        • Opcode Fuzzy Hash: 1bab65d34eab59e6585b00a8c8b3de1757555f5ad014edb5101f773132fe0458
        • Instruction Fuzzy Hash: 2E015B324086409FDB218F55D845B66FFE0EF48720F18C8AEDD894B616C376E418DB62
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • FindCloseChangeNotification.KERNELBASE(?), ref: 00DCA674
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: ChangeCloseFindNotification
        • String ID:
        • API String ID: 2591292051-0
        • Opcode ID: 2f5ecee1e4e02a9bd3ad8b50cdf3b5030f121d543c9e241ae04fd7ab8de74938
        • Instruction ID: 19a868ff2a87a3df4649f42b2cbd834871ca3f580f8136a72c3314fbb9837d8e
        • Opcode Fuzzy Hash: 2f5ecee1e4e02a9bd3ad8b50cdf3b5030f121d543c9e241ae04fd7ab8de74938
        • Instruction Fuzzy Hash: C601D4315006458FDB118F29EC85B55FBA4EF40320F1CC4AFDC498B256D675D408CA72
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • EnumThreadWindows.USER32(?,00000E2C,?,?), ref: 00DCB6E2
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: EnumThreadWindows
        • String ID:
        • API String ID: 2941952884-0
        • Opcode ID: de7cc1346f1ce33da1abfea54e0da3d2a199ce0464e229a0c63b30f2224e36af
        • Instruction ID: 94bdde67441273fc4b83760006ec3eaf00973298d5f2b3d56b05781813193a89
        • Opcode Fuzzy Hash: de7cc1346f1ce33da1abfea54e0da3d2a199ce0464e229a0c63b30f2224e36af
        • Instruction Fuzzy Hash: 7B016D72500600ABD650DF1ADC86F26FBA8FB89B20F14815AED085B741E671F915CBE6
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: CloseFind
        • String ID:
        • API String ID: 1863332320-0
        • Opcode ID: 9240b80550c8c7f5c8e7c721223938a1de7a3868e2a10591f324c6c3c0431b3d
        • Instruction ID: d0c9155d81d606fdcef309f8c20fe224b44b99f9355f234a311119cce84a7e6e
        • Opcode Fuzzy Hash: 9240b80550c8c7f5c8e7c721223938a1de7a3868e2a10591f324c6c3c0431b3d
        • Instruction Fuzzy Hash: C001D6356002458FDB108F19DC85765FB98DF04325F08C0AEED458B252D275E908DEB2
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • SetErrorMode.KERNELBASE(?), ref: 00DCA290
        Memory Dump Source
        • Source File: 00000000.00000002.309718252.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dca000_unarchiver.jbxd
        Similarity
        • API ID: ErrorMode
        • String ID:
        • API String ID: 2340568224-0
        • Opcode ID: ee9333a43b7903476b30e3102f224b548e06efecf871539b2e7df8da44ba2c69
        • Instruction ID: cf2f4d8c184130db6b19cf7db3b0148a99ba8b72b85534c169d792652a40c37d
        • Opcode Fuzzy Hash: ee9333a43b7903476b30e3102f224b548e06efecf871539b2e7df8da44ba2c69
        • Instruction Fuzzy Hash: 91F0AF358042498FDB208F19E885B65FFA0EF04725F18C09EDD894B356D2B6A508DEB2
        Uniqueness

        Uniqueness Score: -1.00%

        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.310018177.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_2790000_unarchiver.jbxd
        Similarity
        • API ID:
        • String ID: U]Uq^
        • API String ID: 0-1454348445
        • Opcode ID: 298b2ea3a8beaef8818bbe4e2a0ad254e415e2b633865616ef96f9b973a0a7c3
        • Instruction ID: 301b6fdfd1c7c095abdf6517910a01a5168113ff3a246ae659a5bff2a5bf524b
        • Opcode Fuzzy Hash: 298b2ea3a8beaef8818bbe4e2a0ad254e415e2b633865616ef96f9b973a0a7c3
        • Instruction Fuzzy Hash: 86512530E42209DFCB18DFB5D480AAEBBB2FF89704F24942AE405B7340CB359942CB54
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.310018177.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_2790000_unarchiver.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 6cf43b602bc53a40fe6ea4409115364a74071dd5400764cb07db4ef39d7e2696
        • Instruction ID: d203e04dea4f0c5f2c7bdc00f7484244ba1f81a20967656cdc82b6d73b4deaba
        • Opcode Fuzzy Hash: 6cf43b602bc53a40fe6ea4409115364a74071dd5400764cb07db4ef39d7e2696
        • Instruction Fuzzy Hash: C5216A31D01208DFCF15EFA4E940AEEBBB5EB89319F10862AD904B3754DB706A06CF90
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.310037069.00000000027D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_27d0000_unarchiver.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: b54778751a44dd2ef40183fd7ae313b717ff0e1958dee686cc1b11c91e0fc570
        • Instruction ID: af6c1dddb11c576863aa7d25bb17c5996a2151f61ff64f89b1ee5e7e5dcd4ff7
        • Opcode Fuzzy Hash: b54778751a44dd2ef40183fd7ae313b717ff0e1958dee686cc1b11c91e0fc570
        • Instruction Fuzzy Hash: 8A018DB64096446FD701CF15DC41957FFFCDF86510B05C59FEC449B212D266BA148BA2
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.310018177.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_2790000_unarchiver.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 2a06bd52058a6a9f2d36499f4597de0e637f690840ac4ed9f7c17d2ea1818ac4
        • Instruction ID: f78bb1efdcd4fffde3ffe83acfacf47cb30de63da71097a0980c0b2a08f182fc
        • Opcode Fuzzy Hash: 2a06bd52058a6a9f2d36499f4597de0e637f690840ac4ed9f7c17d2ea1818ac4
        • Instruction Fuzzy Hash: 1B113570C16309DFCF04EFB4D4556AEBBB5AF46304F2099AAC400A7291D7745A84CF96
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.310037069.00000000027D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_27d0000_unarchiver.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: fe25913f66674b9d617aa1a5f86cf50ad46f4bb216619f7da21e9abee67c9d62
        • Instruction ID: 82979a778cd2a52f697f28d0f0dcc3129dd881941e515352b5853430ca219a45
        • Opcode Fuzzy Hash: fe25913f66674b9d617aa1a5f86cf50ad46f4bb216619f7da21e9abee67c9d62
        • Instruction Fuzzy Hash: AA01F97650D3805FD7128B16EC45863FFB8DF86630709C1DFEC898B612D125A909CBB2
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.310018177.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_2790000_unarchiver.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 19547d21311c6a9e502d5ed7891ceceea8cdc62b04d4d62ba6c52e5a758706b2
        • Instruction ID: 5345c7e50173e64f88caf9ba14e5586be313d063c7b565a10372cac39087a389
        • Opcode Fuzzy Hash: 19547d21311c6a9e502d5ed7891ceceea8cdc62b04d4d62ba6c52e5a758706b2
        • Instruction Fuzzy Hash: 9E0146B4D0630DDFCF04DFA8E9845AEBFB1AF8A300F2484AAD408A7310D7301A05CB62
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.310018177.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_2790000_unarchiver.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c11c971cab4a2f78bdfd1e57d19dcc05a739070d2e3d85a275357f89e3f79307
        • Instruction ID: 6d16b6edc9adbfcc788953f13ef8a5e80738fb224d8ee97e4f679735b724c400
        • Opcode Fuzzy Hash: c11c971cab4a2f78bdfd1e57d19dcc05a739070d2e3d85a275357f89e3f79307
        • Instruction Fuzzy Hash: DF01DD74D11209DFCB08EFA4D4457AEBBB5AB45305F20A9AA8815A7280DB789A80CB95
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.310037069.00000000027D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_27d0000_unarchiver.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: eefc292b86deb325bd62479ba351bfd1aab9a4b9b9ae3f3e347e2bb684b299a3
        • Instruction ID: cea19da8cce10fc2fcd8bb132dedaed40f8a18f0af4189a712d65d5d34316530
        • Opcode Fuzzy Hash: eefc292b86deb325bd62479ba351bfd1aab9a4b9b9ae3f3e347e2bb684b299a3
        • Instruction Fuzzy Hash: 56F082B28052046FD640DF09EC42896F7ECDF85621F14C52FEC088B301E676BA144AE2
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.310037069.00000000027D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_27d0000_unarchiver.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 5ca60645c83194e34f7661edc114e16af12dd833d712730885cabe9fb06c623e
        • Instruction ID: f86f6c5f03349086ad025b2099f0980d2970b0245e57b9f1f58cf8bb06b48c41
        • Opcode Fuzzy Hash: 5ca60645c83194e34f7661edc114e16af12dd833d712730885cabe9fb06c623e
        • Instruction Fuzzy Hash: C7E092766046044BD650CF0BFC41466F7E8EB84630718C07FDC0D8B711D536B505CEA5
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.309712896.0000000000DC2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC2000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dc2000_unarchiver.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 60c0828d167b3f62b14efe3ee7ea097bcbf8517cb9b729cb4a363a763364c8b5
        • Instruction ID: 20f65d2160fd98f1d49b9a73576c5b763b5a56f03ae374effc33c983553bf362
        • Opcode Fuzzy Hash: 60c0828d167b3f62b14efe3ee7ea097bcbf8517cb9b729cb4a363a763364c8b5
        • Instruction Fuzzy Hash: 73D05B752056814FD3268A1CC165F553B94AF51704F4A44FDD8008B663C365D981D110
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.309712896.0000000000DC2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC2000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_dc2000_unarchiver.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 4eb4f0af7a6f039dc9e54d02dbb634e3aa657f0365324184e76cf6146ce43fd2
        • Instruction ID: 294cbb66dd3147319267d4fd5d621e0983acab609f12b024e71454b2c1dee28f
        • Opcode Fuzzy Hash: 4eb4f0af7a6f039dc9e54d02dbb634e3aa657f0365324184e76cf6146ce43fd2
        • Instruction Fuzzy Hash: CED05E343102824BC725DB0CC194F6937D4AB41B00F0A44ECAC008B662C7B9DC81C610
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.310018177.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_2790000_unarchiver.jbxd
        Similarity
        • API ID:
        • String ID: u]Uq^
        • API String ID: 0-2540615577
        • Opcode ID: 1a93eb7fd4544198076d6c97c58fdbca1370aff6d5f38f5c64050c44a7817e47
        • Instruction ID: 1d776c647cce8a5fe3113fb791e86e021ed6f6fa653174d48af02d8e8d8aa138
        • Opcode Fuzzy Hash: 1a93eb7fd4544198076d6c97c58fdbca1370aff6d5f38f5c64050c44a7817e47
        • Instruction Fuzzy Hash: E2910974D11204DFDB64DFA5E944A9ABBB3FB99709F10C666E80AEB768C7301941CF10
        Uniqueness

        Uniqueness Score: -1.00%