Edit tour

Windows Analysis Report
2016.zip

Overview

General Information

Sample name:	2016.zip
Analysis ID:	1525384
MD5:	e6d577fdb969bf89b350680588751a42
SHA1:	0891add60f3f06863e64e241cc9e7bbe982fafe5
SHA256:	f271d142dd7fc527ac4807657ae6e452dc9d8fb367bd0eed634d2e78ee5fe462
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

May sleep (evasive loops) to hinder dynamic analysis

Classification

Process Tree

System is w10x64

unarchiver.exe (PID: 4340 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\2016.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 5288 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\bas04viz.kyq" "C:\Users\user\Desktop\2016.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 4348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: 7za.exe, 00000001.00000003.1754612424.0000000002680000.00000004.00000800.00020000.00000000.sdmp, 1.png.1.dr	String found in binary or memory: http://wnsdobe.xmm.a/xap/1.0/
Source: 7za.exe, 00000001.00000003.1754612424.0000000002680000.00000004.00000800.00020000.00000000.sdmp, 1.png.1.dr	String found in binary or memory: http://wnsdobe.xmm.a/xap/1.0/mm/
Source: 7za.exe, 00000001.00000003.1754612424.0000000002680000.00000004.00000800.00020000.00000000.sdmp, 1.png.1.dr	String found in binary or memory: http://wnsdobe.xmm.a/xap/1.0/wM5fb

Source: classification engine

Classification label: clean2.winZIP@4/2@0/0

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4348:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\2016.zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\bas04viz.kyq" "C:\Users\user\Desktop\2016.zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\bas04viz.kyq" "C:\Users\user\Desktop\2016.zip"	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 3050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 3050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 5050000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 4936

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_010AB1D6 GetSystemInfo,

0_2_010AB1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\bas04viz.kyq" "C:\Users\user\Desktop\2016.zip"

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	31 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	3 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2016.zip	0%	ReversingLabs
2016.zip	0%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://wnsdobe.xmm.a/xap/1.0/	7za.exe, 00000001.00000003.1754612424.0000000002680000.00000004.00000800.00020000.00000000.sdmp, 1.png.1.dr	false	unknown
http://wnsdobe.xmm.a/xap/1.0/mm/	7za.exe, 00000001.00000003.1754612424.0000000002680000.00000004.00000800.00020000.00000000.sdmp, 1.png.1.dr	false	unknown
http://wnsdobe.xmm.a/xap/1.0/wM5fb	7za.exe, 00000001.00000003.1754612424.0000000002680000.00000004.00000800.00020000.00000000.sdmp, 1.png.1.dr	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525384
Start date and time:	2024-10-04 04:56:44 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2016.zip
Detection:	CLEAN
Classification:	clean2.winZIP@4/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 46 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .zip Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\bas04viz.kyq\Started\1.png

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1489
Entropy (8bit):	6.86073459890358
Encrypted:	false
SSDEEP:	24:+C1HC91n1apj52j4spNfC2lv4pNR+pOYCZXRHlkTwO+FJ6JELE7mqW:+AwR1M2BNfCaENR+YZhlFMJ4E7mz
MD5:	8CC45E13BF0779634CB7C1EF56973976
SHA1:	8DC64C41EF004848FA7269B1BFA20CE9557BE770
SHA-256:	C2A51C94A80276D662486C20F31E1F73BD967E2F8D69CACBE7C3AF2C158A3579
SHA-512:	0C953F1696D95DD347FBD1086B8770E925910663E55D8A7739EBCB213120CB004136FFCBC5D2D5F888BB5CE3CA73628AC5D575771552CE623AD393CB57769356
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................a....tEXtSoftware.Adobe ImageReadyq.e<...OiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTcz.d1.."?> <x:mp.meta xmlns:x="dobe.:ns:meta/" x:mp.tk="dobe IXMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199?.02/022-df=-syntax-ns#> <rdf:RDescription df:Rabout=""xmlns:x=mp"http://wnsdobe.xmm.a/xap/1.0/"xmlns:x=mpMM"http://wnsdobe.xmm.a/xap/1.0/mm/"xmlns:xstRef"http://wnsdobe.xmm.a/xap/1.0/wM5fb./Resourcadyf#xmlnp:CreatorTooldobe IXMPhotoshop DM50:m...012/020229.m.40312/02/06-29:21:00:00) (Macinosho)mlnp:MM:InstanceID="np:.iid:3334DECA62.5411E189C8889F502344A1lnp:MM:IDocumentD="np:.idd:36.50B4914.5461E189C8889F502344A1lnmp.mMM:IDoerivedFrom f"htt:itanceID="np:.iid:3334DECA68.5411E189C8889F502344A1lnpf"htt:dcumentD="np:.idd:3634DECA69.5411E189C8889F502344A1ln/mp./Description df:mp./Descmlnmp./meta xmlnmp.et begin=en0Mprx:m........IDATx.b4P.J```pf@.{/.}.....4`.....#.......\|q....?...".~... ,

C:\Users\user\AppData\Local\Temp\unarchiver.log

Download File

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2375
Entropy (8bit):	4.929162812456713
Encrypted:	false
SSDEEP:	48:KBBQQQZFwYUQr/GpoGTGBqGIyUGTGblGpGLGsFGhGG0UGBqGIyUGKGUGeCGTGTGP:KHQMojv
MD5:	0353B9C57FED9755F8D2F668BAD05321
SHA1:	F3B1E9F5756FD13FBCBA3246509E33560424CD22
SHA-256:	4835A55C16770416F5855DC8C236ADCFF06E8E13A9C754B908EB6BD8E1379C68
SHA-512:	C168FCDF9A118BCBCB4A9D64550658743967E3F70A99FE73521C8E49C7DA25749BBA3BB22BF712F6CC7D993B4FEF3F379F19E9D42FF210CD18E207FBD35D5DE3
Malicious:	false
Reputation:	low
Preview:	10/03/2024 10:57 PM: Unpack: C:\Users\user\Desktop\2016.zip..10/03/2024 10:57 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\bas04viz.kyq..10/03/2024 10:57 PM: Received from standard error: ..10/03/2024 10:57 PM: Received from standard error: ERRORS:..10/03/2024 10:57 PM: Received from standard error: Headers Error..10/03/2024 10:57 PM: Received from standard error: Unconfirmed start of archive..10/03/2024 10:57 PM: Received from standard error: ..10/03/2024 10:57 PM: Received from standard error: ERROR: Data Error : Started\1.png..10/03/2024 10:57 PM: Received from standard out: Extracting archive: C:\Users\user\Desktop\2016.zip..10/03/2024 10:57 PM: Received from standard out: ..10/03/2024 10:57 PM: Received from standard out: WARNINGS:..10/03/2024 10:57 PM: Received from standard out: There are data after the end of archive..10/03/2024 10:57 PM: Received from standard out: ..10/03/2024 10:57 PM: Received from standard out: --..10/03/2024 10:57 PM: Received from standard out: Path

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.606940163167705
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	2016.zip
File size:	1'452 bytes
MD5:	e6d577fdb969bf89b350680588751a42
SHA1:	0891add60f3f06863e64e241cc9e7bbe982fafe5
SHA256:	f271d142dd7fc527ac4807657ae6e452dc9d8fb367bd0eed634d2e78ee5fe462
SHA512:	ee375b419d8995cf12a7040c7867a54c98e1d9a5c978de09027fcffc93bb81f18f0868f00f168d81368fc042685f24c65f1c67e2feca1ef005e683bbb1a45e88
SSDEEP:	24:96OdAqUcYS7SZ4krXoT7nmPxAw/4bao5a4iTyZ7eR/dcAI+G2PYAyBd3TnTDnjqJ:93dRYS7SZ4VTzmmwseTyZCRSeG2PYnBo
TLSH:	C131E6D7CB2E50D1E702D3BBC818462866706BC442419542E88C286CCEF16FF2CD1E09
File Content Preview:	PK........lFdFo..^............Started/1.png}TkL.U..XA.%"1.Z..`.j..>.NvY../uy,.1T...Y...Lg.wy.m....Q@.!J..O....hX....B..,....VmJ(Q."....1.7w..s.}.=s.9s./'3".`8....Yz..F...P.}.O?).1Bz.P.Z.'..@...i0.!.h#MR.'.i5.Hrm..B.....20.......C.uq....@3]f.k...^..Q..M..5

File Icon


Icon Hash:	90cececece8e8eb0

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: unarchiver.exePID: 4340, Parent PID: 2580

General

Target ID:	0
Start time:	22:57:43
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\2016.zip"
Imagebase:	0xaa0000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 7za.exePID: 5288, Parent PID: 4340

General

Target ID:	1
Start time:	22:57:43
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\bas04viz.kyq" "C:\Users\user\Desktop\2016.zip"
Imagebase:	0x350000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4348, Parent PID: 5288

General

Target ID:	2
Start time:	22:57:43
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: unarchiver.exePID: 4340, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	19.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	73
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 010AB1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 010AB208

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: b8a170956e20b332ceb76b2670561ae7f55e29320837b005ec00602db25165a3
Instruction ID: c88b3ac93fbcdac875d94b7f7c3d4f5f317a47120985e1a04fad9f4612d8045b
Opcode Fuzzy Hash: b8a170956e20b332ceb76b2670561ae7f55e29320837b005ec00602db25165a3
Instruction Fuzzy Hash: 3B01D1759002808FEB50CF55D885769FBE4EF15320F48C4ABDD898F756D279E408CBA2

Function 010AB246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 010AB2F3

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5093634093022b8caffc34215d1df7896e01fd34962dbe4ae7aae7b36e51e8d5
Instruction ID: 59756e5af8d9e7770ab1702920c7ad104e9ade9fa43f68dea406dc5b9567f792
Opcode Fuzzy Hash: 5093634093022b8caffc34215d1df7896e01fd34962dbe4ae7aae7b36e51e8d5
Instruction Fuzzy Hash: 8331B4725043846FE7228B61CC44FA7BFFCEF05310F04849AE985CB552D225E909DB71

Function 010AAD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 010AADA7

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d7ead3a8087ab01656d0a8e2b806692058a35f2fb6bf48fcbf413df880323bf9
Instruction ID: 58b91dabef44cf2974adb7cc508aae6fc5a5f218280165d503fbe854a6436616
Opcode Fuzzy Hash: d7ead3a8087ab01656d0a8e2b806692058a35f2fb6bf48fcbf413df880323bf9
Instruction Fuzzy Hash: 6331B172504384AFEB228B65CC44FABBFECEF05224F04889AF985DB552D225E509DB71

Function 010AAB76 Relevance: 1.6, APIs: 1, Instructions: 95
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 010AAC36

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: b7a692a514f6a9d798fab81ef37ff45ed757ab56112cabfbddaea02c458a449c
Instruction ID: 640cef11d532caaaf12298e2b6ebfc71afd254ac29ba54f6c53e57b90569c566
Opcode Fuzzy Hash: b7a692a514f6a9d798fab81ef37ff45ed757ab56112cabfbddaea02c458a449c
Instruction Fuzzy Hash: 88316D7250E3C05FD3138B718C65A61BFB4AF47610F1984DBD8C4DF1A3D229A919C762

Function 010AA5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 010AA67D

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d5df92263c2d00724fba1f239523f168e78dd9fc0ada7bb8aab20a57872b485a
Instruction ID: 9ba567397cd0e9f730e52bd77f94f8a102e58ba4324cfd2a9ed4063d9b622d14
Opcode Fuzzy Hash: d5df92263c2d00724fba1f239523f168e78dd9fc0ada7bb8aab20a57872b485a
Instruction Fuzzy Hash: E4318171604340AFE722CF65CC44F66BFE8EF49220F08849EE9858B652D375E509DB71

Function 010AA120 Relevance: 1.6, APIs: 1, Instructions: 83
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 010AA1C2

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 1964247608c501a996c2c7a44d0e1a8eab318ab02fc713710fa0f05efe51b5e0
Instruction ID: 427b45dcc73be774fd55bd7534a0f34170282dce6b33d2ec69e284cdd8070498
Opcode Fuzzy Hash: 1964247608c501a996c2c7a44d0e1a8eab318ab02fc713710fa0f05efe51b5e0
Instruction Fuzzy Hash: E821E57150D3C06FD3028B258C61BA6BFB4EF87620F1985DBD8C4CF693D225A919C7A2

Function 010AAD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 010AADA7

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eb618429713bad9a231caf3520565a6aa01afc49013ed8856a58bed2ffc1b1e7
Instruction ID: dad2af36a86010f022cb73f73e70ab48ec01196785f1b42f9e4874e6564616db
Opcode Fuzzy Hash: eb618429713bad9a231caf3520565a6aa01afc49013ed8856a58bed2ffc1b1e7
Instruction Fuzzy Hash: BB21B572600204AFEB219F54CD44FABBBECEF14214F04885AE985DB651D735E548CBA1

Function 010AA370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,967A5A0A,00000000,00000000,00000000,00000000), ref: 010AA40C

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 148bcce7edc8a7b193ed3e810d2f2a8c2e72f6904826e02ac009023c37bcebb2
Instruction ID: 483a454202a7c1da80b724ce1e562d6b1db6d1894b088b35ac36b9f7e923ab77
Opcode Fuzzy Hash: 148bcce7edc8a7b193ed3e810d2f2a8c2e72f6904826e02ac009023c37bcebb2
Instruction Fuzzy Hash: F2216D76604744AFE721CF55CC84FA6BBF8EF45610F08849AE985CB692D364E908CB72

Function 010AB276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 010AB2F3

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 990207a58860835c68b95f733df3961da10050be7af763051ca95716d7008ba3
Instruction ID: b8b1ca99a113f24b30263a20713e46e0977bdb95c08c84ec3a9679f0e074e755
Opcode Fuzzy Hash: 990207a58860835c68b95f733df3961da10050be7af763051ca95716d7008ba3
Instruction Fuzzy Hash: 2121C172600204AFEB21CF65CC44FABBBECEF14314F04886AE985CB651D375E5488BB2

Function 010AA850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,967A5A0A,00000000,00000000,00000000,00000000), ref: 010AA8DE

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 41d65f109ee4f87f62985046c43f21a16bab19bfead605ef89ce8c91f433067e
Instruction ID: d1b1023d8b4e5dcc8a5356a57fd3e83ad58131a9dec3a24473a8f37d49bbaa26
Opcode Fuzzy Hash: 41d65f109ee4f87f62985046c43f21a16bab19bfead605ef89ce8c91f433067e
Instruction Fuzzy Hash: C921B371508380AFE722CB64DC44FA6BFB8EF46714F0984DAE984CF593C265A909C772

Function 010AA933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,00000E24,967A5A0A,00000000,00000000,00000000,00000000), ref: 010AA9C1

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 34cd80d7d7211e4bcac80f5f62bb008ec8e613c9c484d971cc112927948509de
Instruction ID: 597c4ca5ebdedb0be86c04d1255c593735f0854e779ae4760fc49cdd2a10748e
Opcode Fuzzy Hash: 34cd80d7d7211e4bcac80f5f62bb008ec8e613c9c484d971cc112927948509de
Instruction Fuzzy Hash: 8021AE71509380AFDB22CF65CC44F96BFB8EF46314F0884DAE9849B152C275A508CBB2

Function 010AA5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 010AA67D

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dd467e30fb41152f78fb82d918f34c82882f35db53be25e95368ef6a2a64e96a
Instruction ID: 17c1865d4377abc98df4bd69d3ab48a197d7e1f00446372e401ab70f529f6839
Opcode Fuzzy Hash: dd467e30fb41152f78fb82d918f34c82882f35db53be25e95368ef6a2a64e96a
Instruction Fuzzy Hash: 4821B271600240EFE721CF65CC45F66FBE8EF58224F4488AAE9858B691D375E408CF72

Function 010AA78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,967A5A0A,00000000,00000000,00000000,00000000), ref: 010AA815

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 53541f8bea755f089ace9f89b3338e9a49f0e194c1b6e9ecb41e35d76e19920f
Instruction ID: 6d806c6b8591226c51a63c8e95d0c5b7b31dc6ed5da6e38883959935134617ef
Opcode Fuzzy Hash: 53541f8bea755f089ace9f89b3338e9a49f0e194c1b6e9ecb41e35d76e19920f
Instruction Fuzzy Hash: 3F21D5B55083806FE7128B61DC40BA2BFB8EF56314F0880DAE9848B293D264A909D772

Function 010AAA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 010AAA8B

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 61508c06bcd69c47a2096ef0d282ba8495a93269de2c57a50a0ab07cb65ee2ea
Instruction ID: 593c6094e340f14ec0f115c20483c804e666e114e7b6443dc5712320b2611d05
Opcode Fuzzy Hash: 61508c06bcd69c47a2096ef0d282ba8495a93269de2c57a50a0ab07cb65ee2ea
Instruction Fuzzy Hash: D12171716083C09FE752CB69DC55B92BFE8AF06314F0D84EAE984CB593D325D905CB61

Function 010AA392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,967A5A0A,00000000,00000000,00000000,00000000), ref: 010AA40C

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 386f339d4ff31b9dbab16eec0bdaf828fd2f1eeb83bbe979ae494357fa534791
Instruction ID: 682f088f4504cf3f0b7da946a0b2a65daa79c3d839358d5e568a2ebfbee033e9
Opcode Fuzzy Hash: 386f339d4ff31b9dbab16eec0bdaf828fd2f1eeb83bbe979ae494357fa534791
Instruction Fuzzy Hash: DF21AE76600200AFE761CE55CC84FA6FBECEF14610F48C49AF985CB692D764E808CA72

Function 010AA962 Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,00000E24,967A5A0A,00000000,00000000,00000000,00000000), ref: 010AA9C1

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c1fc03adfc73495b4eadbf0e70479863cbe5071127eacb4cdf12c193d8eaaeac
Instruction ID: e852aa36d634ca56d7e0e71794aec9a9035cae894aae3243f3569abac92fd836
Opcode Fuzzy Hash: c1fc03adfc73495b4eadbf0e70479863cbe5071127eacb4cdf12c193d8eaaeac
Instruction Fuzzy Hash: 4611E776600240EFEB21CF55DC84FAAFBE8EF14324F04845AE9458B691C375E548CBB2

Function 010AA882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,967A5A0A,00000000,00000000,00000000,00000000), ref: 010AA8DE

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 253d93b8640eabfbc9473e482ca15b0a218265a34fffb5ab838f155cac73f3cb
Instruction ID: be522c66b44b198976a44787496cddd8d3b7c89fb42ad60bd13b4652e0e3ea07
Opcode Fuzzy Hash: 253d93b8640eabfbc9473e482ca15b0a218265a34fffb5ab838f155cac73f3cb
Instruction Fuzzy Hash: 9B11E775600240AFEB61CF54DC84BAAFBE8EF54324F04845AE9459B681C374E508CBB2

Function 010AA2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 010AA30C

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: d8cc734a4fdeb0d7f92b5a31a5f752d61079916ba5dc5f3d484a40348c53eced
Instruction ID: 2068a312f3f2e745f19f10b33fb26d15b04fe40b1431c70e8ea38f618efc38ac
Opcode Fuzzy Hash: d8cc734a4fdeb0d7f92b5a31a5f752d61079916ba5dc5f3d484a40348c53eced
Instruction Fuzzy Hash: FC1194755093C09FD7138B25DC54652BFB4DF07220F0980DBDD858F163D265A808CB72

Function 010AAF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 010AAFE4

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: ec587ff3ae6f403000c9fa6bb0829693970f5eafbe2cbd2aedb893db0a61c2cb
Instruction ID: ec17ff2c3c05e720036da6ccfbd6155981d17cc44106f480b96fccdb9b194272
Opcode Fuzzy Hash: ec587ff3ae6f403000c9fa6bb0829693970f5eafbe2cbd2aedb893db0a61c2cb
Instruction Fuzzy Hash: A611AC715493C09FDB12CB29DC85B52BFF4EF06220F0984DAED858B663D274A808CB62

Function 010AB1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 010AB208

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: ec33224f99beaea2c20ca5d4c9eaf3c3b2b1ea8dfea1489ea3e2c1319af7d774
Instruction ID: 74190cd77311c500918f9aaa718dd89da4dab7598b627b2daabaa84cbfafede5
Opcode Fuzzy Hash: ec33224f99beaea2c20ca5d4c9eaf3c3b2b1ea8dfea1489ea3e2c1319af7d774
Instruction Fuzzy Hash: 9E115E715093C09FDB12CF25DC84B56BFB4EF46220F0884DAED858F653D279A908CB62

Function 010AA7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,967A5A0A,00000000,00000000,00000000,00000000), ref: 010AA815

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: ef1e11df65f441a39da1ec17b97895955081b4f02154e70041d3a2bfc0092ac2
Instruction ID: ea88dc6575344825911f2c79b1da765feeb2fb50323cad331043136741c5fdc0
Opcode Fuzzy Hash: ef1e11df65f441a39da1ec17b97895955081b4f02154e70041d3a2bfc0092ac2
Instruction Fuzzy Hash: 2A01D675600240AFE761CF55DC85BA6FBE8DF14724F04C096ED458B782D374E408CAB6

Function 010AAA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 010AAA8B

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: cdd7e52be9d2ced2e60b71bd0ca7a23c4f9e7de77ed162e0db6fdfe6d54057e8
Instruction ID: f58bad8ccda0b78ab58a3bdd5f298bc370a8d1997e0e58b24f8182f12e3f703a
Opcode Fuzzy Hash: cdd7e52be9d2ced2e60b71bd0ca7a23c4f9e7de77ed162e0db6fdfe6d54057e8
Instruction Fuzzy Hash: 13116175700240DFEB50CF69D995B66FBE8EF15220F48C4AAED49CB682E374E504CB61

Function 010AABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 010AAC36

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: fc60a6c971ff9deb5dfab195a44072e176a57259d7d6677e543bf1ccbb13a476
Instruction ID: 9e15faeb2b93ee83d1d93f83116cb3b2a51f5ae5d7f3ea84ceff24facf3d15cf
Opcode Fuzzy Hash: fc60a6c971ff9deb5dfab195a44072e176a57259d7d6677e543bf1ccbb13a476
Instruction Fuzzy Hash: BA015E71A00200AFD310DF16DC85B76FBE8EB88A20F14856AED489BB41D635F915CBA6

Function 010AA172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 010AA1C2

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: c78f6c8d34c3124979f7f65bed6e7b706794e278dde35cc7ee25040f4904864e
Instruction ID: bae86fe1584559b6c6cc95d72c4b2d231007aa3712cebc0d78addada0d535733
Opcode Fuzzy Hash: c78f6c8d34c3124979f7f65bed6e7b706794e278dde35cc7ee25040f4904864e
Instruction Fuzzy Hash: 3D017171A00200AFD310DF16DC85B76FBE8EB88A20F14856AED089BB41D735F915CBE6

Function 010AAFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 010AAFE4

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 42a7fc1069a5e8fd227dcbc3bf861626f333a6cbfe0428a4331b2d3275f278a2
Instruction ID: 1c9b27285d053f3fb5fdbb918d10021dc7e476838f078009bb95c27c33b77f74
Opcode Fuzzy Hash: 42a7fc1069a5e8fd227dcbc3bf861626f333a6cbfe0428a4331b2d3275f278a2
Instruction Fuzzy Hash: 9201F475A00240CFEB55CF59D885766FBE4EF05324F48C0AAED458B792D375E848CEA2

Function 010AA2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 010AA30C

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e269b02eb97104bb8d61b60fe1046fa9ad7738ae4bb5d5a097aedf0728c90e25
Instruction ID: 8b478188f5b2232016effdcd325b812f4c7a6de4268c9a368c24963aab29f723
Opcode Fuzzy Hash: e269b02eb97104bb8d61b60fe1046fa9ad7738ae4bb5d5a097aedf0728c90e25
Instruction Fuzzy Hash: 67F0AF36A04280CFEB61CF06D885765FBE4EF15624F48C09AED494F792D3B5E418CEA2

Function 010AA6D4 Relevance: 1.3, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 010AA748

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 73099ea89b70543e17de8590e835a54154bf755a76398cf553c2ad327e7caeb9
Instruction ID: 60ca20d6fd925cda21f8aaa1ae1273408826a8d498c9fb15e3ba3b2ad034c816
Opcode Fuzzy Hash: 73099ea89b70543e17de8590e835a54154bf755a76398cf553c2ad327e7caeb9
Instruction Fuzzy Hash: D821A4759093C09FDB138B25DC95752BFB8EF07220F0984DADD858F6A3D2649948C762

Function 010AA716 Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 010AA748

Memory Dump Source

Source File: 00000000.00000002.1760502471.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10aa000_unarchiver.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9091394ccdfddc7470efca187e10e6491342b4ca473ae46de1b98a6e5227d67b
Instruction ID: ce54eb4d0f2042aca6e8f74657e540751d46db7281d31aecfde00090de29c8a6
Opcode Fuzzy Hash: 9091394ccdfddc7470efca187e10e6491342b4ca473ae46de1b98a6e5227d67b
Instruction Fuzzy Hash: C501D475A00240CFEB51CF55DC8576AFFE4EF04220F48C4AADC468B682D278E444CAA1

Function 00F60882 Relevance: 1.0, Instructions: 994COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760296172.0000000000F60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c62697891e0b4ae2f084d69346a53e21055590cce8c2f8600d5e62927a9ecc
Instruction ID: 334a4e530da4535c0cd8af522e6d3815572b2ade41d1f4a63873e39a9f441ed0
Opcode Fuzzy Hash: b5c62697891e0b4ae2f084d69346a53e21055590cce8c2f8600d5e62927a9ecc
Instruction Fuzzy Hash: B521A2A280D3805FD7438B205C54A917FF5DF53520B0985DFDC858B593E2296D0BC7B2

Function 052602C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761668667.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5260000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc27cd126b2253127ef272e313d340987b0ecdeb88182d54448049fd678ff9c0
Instruction ID: 9c4c3da719058b76313ee44af9b6eab5d394188eb0a0c4a89bf0eaa2deaa9ffe
Opcode Fuzzy Hash: fc27cd126b2253127ef272e313d340987b0ecdeb88182d54448049fd678ff9c0
Instruction Fuzzy Hash: 72B17C35612301CFC768DF64E899A5B77BAFF88240B109078E906AB395DB3D9C40CF91

Function 05260799 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761668667.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5260000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07d9ba45e5acf946e6059c5e5f1db7c0890b843c46e56262c3db00c80be2cc8
Instruction ID: 4b11948eeb86d70712516ceab675fc16f0e458511707549c5ba13ca6bb4f9fbc
Opcode Fuzzy Hash: e07d9ba45e5acf946e6059c5e5f1db7c0890b843c46e56262c3db00c80be2cc8
Instruction Fuzzy Hash: 05A16C75B102018BDB14EBB4D4657AE73A7FFE8308F248069D906AB394DB7D9C42CB91

Function 05260C99 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761668667.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5260000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ffeb7589c884f2779130b395840ec722f2f20b0ad37a22fd84714cc365e122
Instruction ID: f6732cbb0fb8607a5482fe3dc472c0517f0c96f93e164d1a2e5ff0694d900ea4
Opcode Fuzzy Hash: b1ffeb7589c884f2779130b395840ec722f2f20b0ad37a22fd84714cc365e122
Instruction Fuzzy Hash: 92210170B002468FCB11EB39C4416AF7BD7EFD5248B44446CE486DB341DF7AAD018796

Function 05260CA8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761668667.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5260000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5864f6a3042fb2084de36d2b70a8fd8688f01f4b3b5526049e34c56e50fb7b4e
Instruction ID: 03213820067ff9533c3b1a8d45426dc91f874b05a5139d1c7080bb147f7a9fee
Opcode Fuzzy Hash: 5864f6a3042fb2084de36d2b70a8fd8688f01f4b3b5526049e34c56e50fb7b4e
Instruction Fuzzy Hash: B6210130B006468BC710EB3994416AFB7D7AFD5244B84842CD4869B341DF7AE9028795

Function 05260BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761668667.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5260000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c343dc639c04d9b676c44a7e2d8e243e4e4ed00806742257c03a78f0c6be87dd
Instruction ID: 4c3b9454244283e6f96aabcf6d1a7f462bccfeec390dcb33bc2a34a090bf92bf
Opcode Fuzzy Hash: c343dc639c04d9b676c44a7e2d8e243e4e4ed00806742257c03a78f0c6be87dd
Instruction Fuzzy Hash: E6119132B10219AFCF44ABB4D85599F77F6FFC8214B0545B9E605E7230EB39AC058B81

Function 00F60808 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760296172.0000000000F60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e62d02541241e39dc2b4eb719dde578ad566b4e241d963712163357c7abb4d5
Instruction ID: 23506a6cd1e27cd0f57cfacfb6c361f33c6f1a5284588b2ae0e4e6f8d140ffbd
Opcode Fuzzy Hash: 2e62d02541241e39dc2b4eb719dde578ad566b4e241d963712163357c7abb4d5
Instruction Fuzzy Hash: EE01B1B28097446FE300DA11AC85856BBA8EF85624F04846AE8498B642D276A9088BA2

Function 00F605E0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760296172.0000000000F60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ae4dd45e5edca562ef54227bbcdb4b9daf828cdad32ffd650be10710a322e3
Instruction ID: 2e7bfff46f2dfda9cc3178b13702dc6c36d821e5d4018e989a79e25878b1db80
Opcode Fuzzy Hash: b6ae4dd45e5edca562ef54227bbcdb4b9daf828cdad32ffd650be10710a322e3
Instruction Fuzzy Hash: 0301D6B650D7846FD711CF169C44862FFF8EF86620708849FEC4A8B653D225A808CBB2

Function 00F6082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760296172.0000000000F60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf9abfec3d8761c84335da522f54667382ac1e65c777908ed36cb2a6fcd734d
Instruction ID: 79dcc436a88684d55bab8a501a742ce37064c6fa8a483ab1abe8dd7e51a885e0
Opcode Fuzzy Hash: 6bf9abfec3d8761c84335da522f54667382ac1e65c777908ed36cb2a6fcd734d
Instruction Fuzzy Hash: FDF082B2945204AF9240DF15ED85896F7ECEF84621F04C52AEC088B701E276BD194AF2

Function 05260C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761668667.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5260000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e01dfbc3009bb791fdf0286524b6694486938d0634d96dcd725eafb04e0fee2d
Instruction ID: 4fd7d19f6e5bb4b7ae3abfe449e5a0ae2f045336b71c422837d194306a050292
Opcode Fuzzy Hash: e01dfbc3009bb791fdf0286524b6694486938d0634d96dcd725eafb04e0fee2d
Instruction Fuzzy Hash: B9E0DF32F252241FCB04DBB988915DE7FE1EF95264B5544B9D008DB360EA3A880287C0

Function 00F60606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760296172.0000000000F60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d516714d42043356932c8413c7881c1073710e1fc63f1886dcce4a8844e787
Instruction ID: 993bd9c03fe76ce0059438a3b8cdedec63154eda260071897b872993c359d199
Opcode Fuzzy Hash: 91d516714d42043356932c8413c7881c1073710e1fc63f1886dcce4a8844e787
Instruction Fuzzy Hash: 66E092B6A006404F9750CF0BEC81452F7E8EB84630708C07FDC0D8BB01D235F508CAA5

Function 05260C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761668667.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5260000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049d547de8be1d6a56c1b58dfee2873a4e1bacf0200a0104968ae8203f0359c0
Instruction ID: 30e88d0e8701eb604f5b7a2a09ff53827e1a070a828f24ec424b76e78cc82765
Opcode Fuzzy Hash: 049d547de8be1d6a56c1b58dfee2873a4e1bacf0200a0104968ae8203f0359c0
Instruction Fuzzy Hash: 74D01232F112286B8B48DBB9584159FBBEAAB84165B5544799009D7350EE35990187D0

Function 05260E08 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761668667.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5260000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aecb14f3dfff243ebdf1a0ab71aabd502b25a6742258733febac6326d440e455
Instruction ID: 805826f065b34f2458bad46794fdbfedffc1c948c084a24e47745ee91d54f1ca
Opcode Fuzzy Hash: aecb14f3dfff243ebdf1a0ab71aabd502b25a6742258733febac6326d440e455
Instruction Fuzzy Hash: 9CE08C313193408FCB06DB38D819A9D7FA0AF96204F48C1EA8448CF2A3C379C840DB01

Function 05260DD1 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761668667.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5260000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a8b26e301b879889a84bbe16d5f3f30dfb714c61967da08092f6171a7173b2
Instruction ID: 21abc9da465fd2e6f48624bc9a4ddaaa325a7311b72af18eda7a2ad89ace24ee
Opcode Fuzzy Hash: 19a8b26e301b879889a84bbe16d5f3f30dfb714c61967da08092f6171a7173b2
Instruction Fuzzy Hash: 5FE0C2343283808FC7029B34D4689A13BA1BF86308F0985D9C8448F372C638E890EB40

Function 010A23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760481432.00000000010A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10a2000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aba2efc21e9761e702a1e7088673a2801d96a810cc12ea9fccb7c87cc4dfa4d
Instruction ID: ee1857b9890d5f114e12ac7ae6e6baeb0596c933e0e35dbecc181e62df08e102
Opcode Fuzzy Hash: 8aba2efc21e9761e702a1e7088673a2801d96a810cc12ea9fccb7c87cc4dfa4d
Instruction Fuzzy Hash: 73D05E792067C14FE3169A1CC1A4B953BE4AB61714F8A44F9A8408B763CB68D5D1D600

Function 010A23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760481432.00000000010A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10a2000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4841c712a248f24c2d31f73d98ee46c8daa8af19863bca17d127635be3be336d
Instruction ID: da132c18f679a840cc79974f88d9ac1b050c1717e094d004d05147e7d99c11a1
Opcode Fuzzy Hash: 4841c712a248f24c2d31f73d98ee46c8daa8af19863bca17d127635be3be336d
Instruction Fuzzy Hash: 64D05E352012814BDB15DA0CC6D5F593BD4AB55B14F0688F8AC508B762C7A8D8C0CA00

Function 05260DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761668667.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5260000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed847c25a86da940a20fd26695862aebc336c3cb98f3f743caf7af52c4bbb69
Instruction ID: 1ae22fb62452eefe03a8ae30fff6dfbd5de7496b2c49b3c8e735daa2012bef8c
Opcode Fuzzy Hash: 5ed847c25a86da940a20fd26695862aebc336c3cb98f3f743caf7af52c4bbb69
Instruction Fuzzy Hash: BDC012303103048FC704AB78D41DE26739AEFD0304F49C16488090B261DA78EC80D684

Function 05260E18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761668667.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5260000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3aa42b15ec6c588a5ab5e5d9663f59ba9e89bf7804e72605f07dc6022435ec0
Instruction ID: d587d2f615fae47d32b3a5e4e67ee926a253e539e1fd2683eb81d952fcbbb173
Opcode Fuzzy Hash: d3aa42b15ec6c588a5ab5e5d9663f59ba9e89bf7804e72605f07dc6022435ec0
Instruction Fuzzy Hash: B6C012313103048FC708A778D51DA2A7799EFD4304F88C16448095B261DA78EC80D644

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2016.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\bas04viz.kyq\Started\1.png

C:\Users\user\AppData\Local\Temp\unarchiver.log

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: unarchiver.exePID: 4340, Parent PID: 2580

General

Chronological Activities

Analysis Process: 7za.exePID: 5288, Parent PID: 4340

General

Chronological Activities

Analysis Process: conhost.exePID: 4348, Parent PID: 5288

General

Chronological Activities

Disassembly

Analysis Process: unarchiver.exePID: 4340, Parent PID: 2580COMMON

Execution Graph

Graph

Callgraph

Executed Functions

Windows Analysis Report
2016.zip

Function 010AB246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 010AAD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 010AAB76 Relevance: 1.6, APIs: 1, Instructions: 95
pipeCOMMON

Function 010AA5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Function 010AA120 Relevance: 1.6, APIs: 1, Instructions: 83
fileCOMMON

Function 010AAD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 010AA370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Function 010AB276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 010AA850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Function 010AA933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Function 010AA5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 010AA78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Function 010AAA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 010AA392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Function 010AA962 Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON