Edit tour

Windows Analysis Report
2293139_Files_20241007105542_2293139_Files_tutorial8_v4.0 (1).zip

Overview

General Information

Sample name:	2293139_Files_20241007105542_2293139_Files_tutorial8_v4.0 (1).zip
Analysis ID:	1527973
MD5:	39dddacaad6f4b01441cc8b2375d9115
SHA1:	f58815c1041ff0496dfefec6efd2179a9a044fa9
SHA256:	a86253e26b54153e1f69870671cbf06e0b1b5117ecf15ca400d72d6e1387aba5
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Classification

Process Tree

System is w10x64

unarchiver.exe (PID: 3444 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\2293139_Files_20241007105542_2293139_Files_tutorial8_v4.0 (1).zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 7208 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\ff5owwsh.bgr" "C:\Users\user\Desktop\2293139_Files_20241007105542_2293139_Files_tutorial8_v4.0 (1).zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 7216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: classification engine

Classification label: clean2.winZIP@4/1@0/0

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7216:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\2293139_Files_20241007105542_2293139_Files_tutorial8_v4.0 (1).zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\ff5owwsh.bgr" "C:\Users\user\Desktop\2293139_Files_20241007105542_2293139_Files_tutorial8_v4.0 (1).zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\ff5owwsh.bgr" "C:\Users\user\Desktop\2293139_Files_20241007105542_2293139_Files_tutorial8_v4.0 (1).zip"	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: 2293139_Files_20241007105542_2293139_Files_tutorial8_v4.0 (1).zip

Static file information: File size 39196241 > 1048576

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 1630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 3510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 5510000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 549			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 9420			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 7268	Thread sleep count: 549 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 7268	Thread sleep time: -274500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 7268	Thread sleep count: 9420 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 7268	Thread sleep time: -4710000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 6_2_0151B1D6 GetSystemInfo,

6_2_0151B1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\ff5owwsh.bgr" "C:\Users\user\Desktop\2293139_Files_20241007105542_2293139_Files_tutorial8_v4.0 (1).zip"

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	2 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1527973
Start date and time:	2024-10-07 13:27:57 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2293139_Files_20241007105542_2293139_Files_tutorial8_v4.0 (1).zip
Detection:	CLEAN
Classification:	clean2.winZIP@4/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 48 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .zip Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 2293139_Files_20241007105542_2293139_Files_tutorial8_v4.0 (1).zip

Simulations

Behavior and APIs

Time	Type	Description
07:29:23	API Interceptor	4345735x Sleep call for process: unarchiver.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Download File

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3405
Entropy (8bit):	5.054802292130547
Encrypted:	false
SSDEEP:	48:wz4GCGbCGCGpQGHbGCGpmrGbcGxrGaGUGCGCGm9GCGfGCGmDjqk1YhsXVZZyzQxY:duHYSZMZKzO
MD5:	1FDDB4EC096A4E2E0E1BFC06B1ABA952
SHA1:	2DD18831522121587A4D5F8E82D4154CFFE0CA03
SHA-256:	CC89314638D2ACA1D704F29A2C341643F5C3C4D1E0AA5883EA3309F4D02B39DA
SHA-512:	5B45DF8652321292273CA0343CC2D4EE75EA857D6D7DBB2ED8E0A2738F27ACF92E082FA2A6E9A739E075A27941D2F1EF3CED21E7FBC19E855496006BBC95261F
Malicious:	false
Reputation:	low
Preview:	10/07/2024 7:28 AM: Unpack: C:\Users\user\Desktop\2293139_Files_20241007105542_2293139_Files_tutorial8_v4.0 (1).zip..10/07/2024 7:28 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\ff5owwsh.bgr..10/07/2024 7:28 AM: Received from standard out: ..10/07/2024 7:28 AM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..10/07/2024 7:28 AM: Received from standard out: ..10/07/2024 7:28 AM: Received from standard out: Scanning the drive for archives:..10/07/2024 7:28 AM: Received from standard out: 1 file, 39196241 bytes (38 MiB)..10/07/2024 7:28 AM: Received from standard out: ..10/07/2024 7:28 AM: Received from standard out: Extracting archive: C:\Users\user\Desktop\2293139_Files_20241007105542_2293139_Files_tutorial8_v4.0 (1).zip..10/07/2024 7:28 AM: Received from standard out: --..10/07/2024 7:28 AM: Received from standard out: Path = C:\Users\user\Desktop\2293139_Files_20241007105542_2293139_Files_tutorial8_v4.0 (1).zip..10/07/2024 7:28 AM:

Static File Info

General

File type:	Zip archive data, at least v4.5 to extract, compression method=deflate
Entropy (8bit):	7.999996039626842
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	2293139_Files_20241007105542_2293139_Files_tutorial8_v4.0 (1).zip
File size:	39'196'241 bytes
MD5:	39dddacaad6f4b01441cc8b2375d9115
SHA1:	f58815c1041ff0496dfefec6efd2179a9a044fa9
SHA256:	a86253e26b54153e1f69870671cbf06e0b1b5117ecf15ca400d72d6e1387aba5
SHA512:	fb9841ebe5fba60647097beed1f947c228d8c151b2986e6c44b4fa604c72c25d7fab8c5ec14ca9f36b448850d8d892b2d387cccce4ef0d7fa543f582f775d2f0
SSDEEP:	786432:OVnYhlu4XCNCX0PXn23yVIl92joXg+UmnJs2MW2vy9HAiOpiE:OVYxyNc0PXn23yWl7g++2MnwcAE
TLSH:	09873305E8EEDAEF42E0B5DE67F6D720623005A3F7DD178ECAA7E8D0D4D021B2592194
File Content Preview:	PK..-......VGY.6..............tutorial8_v4.0.zip....SNe.......V.........s....Bxe(....5..c.h....qtm:.j<..-..[.?...A...Ve(fv.......c...0;..ef,......V...HF1.{.<..$.U....ss...c.(..x. M.t..%`....d...&.!.Q..J..A..............u<..&2!..w..t.z.,..o#..]D=Z...GG.G

File Icon


Icon Hash:	90cececece8e8eb0

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 13:29:11.167896032 CEST	53	50049	1.1.1.1	192.168.2.11

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: unarchiver.exePID: 3444, Parent PID: 2592

General

Target ID:	6
Start time:	07:28:50
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\2293139_Files_20241007105542_2293139_Files_tutorial8_v4.0 (1).zip"
Imagebase:	0xe80000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: 7za.exePID: 7208, Parent PID: 3444

General

Target ID:	8
Start time:	07:28:50
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\ff5owwsh.bgr" "C:\Users\user\Desktop\2293139_Files_20241007105542_2293139_Files_tutorial8_v4.0 (1).zip"
Imagebase:	0x400000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7216, Parent PID: 7208

General

Target ID:	9
Start time:	07:28:50
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: unarchiver.exePID: 3444, Parent PID: 2592COMMON

Execution Graph

Execution Coverage:	21.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.1%
Total number of Nodes:	78
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0151B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0151B208

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: acf6780a3306a0852c189cb8f6805eafcb807151d425652169ab47ae668b40a2
Instruction ID: 0fd408bc156a0adc225d83cde3eaca26424a4590014c621f09a1e99b75895234
Opcode Fuzzy Hash: acf6780a3306a0852c189cb8f6805eafcb807151d425652169ab47ae668b40a2
Instruction Fuzzy Hash: C901A7755012408FEB11CF55D984B99FBE4EF05224F08C4AADD598F756D279A408CB61

Function 0151B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0151B2F3

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5f0cc16e40e5f6dd4ed818ab6cc1729e6e01cbeb89dad946b4a1370836d0595a
Instruction ID: 2fc5fd0d4350c6822bd764de68b32048da38e763df29921cedf2715246ed33eb
Opcode Fuzzy Hash: 5f0cc16e40e5f6dd4ed818ab6cc1729e6e01cbeb89dad946b4a1370836d0595a
Instruction Fuzzy Hash: 6731B475404344AFE7228B65CC44FABBFBCEF05214F04889AE985CB562D334A919CB71

Function 0151AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0151ADA7

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ae8aa749551af1bb08499c38d3c04f2fb27a71622a349034a0e00bef2ff06025
Instruction ID: 781eca82fac985f87a8105c0f8b17f59dda5f791d107ba58c3d6d15b3b79acbb
Opcode Fuzzy Hash: ae8aa749551af1bb08499c38d3c04f2fb27a71622a349034a0e00bef2ff06025
Instruction Fuzzy Hash: 8631B572505384AFE7228B65CC44FA7BFACEF05614F04889AF985CB552D234A919CB71

Function 0151AB76 Relevance: 1.6, APIs: 1, Instructions: 92
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0151AC36

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: c680786fd3eef29b39d1156d575cb7245505d27a084f6bd3e3bf80ea06227b5b
Instruction ID: e3215e9b6f0d556040f45c72e28d45b64785945048da4a357dafa54243cd5688
Opcode Fuzzy Hash: c680786fd3eef29b39d1156d575cb7245505d27a084f6bd3e3bf80ea06227b5b
Instruction Fuzzy Hash: 0E31B17540E7C05FC3138B758C65A56BFB4AF47610F1A85CBD8C4CF6A3D228A919C762

Function 0151A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0151A67D

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e19b9b902f52a1babcaaa720e67978a9a442616addfe93baa3f36636457d57ec
Instruction ID: 86f549f556d5616b712d002c780d06b6841fcf15631bd21785744439bc064d52
Opcode Fuzzy Hash: e19b9b902f52a1babcaaa720e67978a9a442616addfe93baa3f36636457d57ec
Instruction Fuzzy Hash: 8731D171505380AFE722CF65CD44F66BFE8EF45220F0888AEE9858B652D375E809CB71

Function 0151A120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0151A1C2

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 5f16256c6c4442ee1ebc8fb4289043e8ca417ab81f2a31a5b0e65e96f73ab0c6
Instruction ID: 042f45223057e4e80903d764a788407f598c738b2ebea262078c6022b966df88
Opcode Fuzzy Hash: 5f16256c6c4442ee1ebc8fb4289043e8ca417ab81f2a31a5b0e65e96f73ab0c6
Instruction Fuzzy Hash: 5C21E27540D3C06FD3128B258C61BA6BFB4EF47610F0945CBD884CF693D225A91AC7A2

Function 0151A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,3EA70D49,00000000,00000000,00000000,00000000), ref: 0151A40C

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 448dfa56c043c3598d6dc02b6fcff50437e6ae092ea248f8fdbeb120c86de851
Instruction ID: 5a9612cc5cc006e8fa4aa79cdbd3a251e5cec1e11612bf2c8d82be41188fc2d1
Opcode Fuzzy Hash: 448dfa56c043c3598d6dc02b6fcff50437e6ae092ea248f8fdbeb120c86de851
Instruction Fuzzy Hash: 55219C75505380AFE722CF15CC84FA7BBFCEF05610F08889AE985CB692D364E949CB61

Function 0151B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0151B2F3

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7b628c4ac63fec50c470f0b26028a05674579d61d91a5fa8069c2425da780bb5
Instruction ID: 82162cde924fdc25e656d0c633b81b1706203b18b83cc26b6dd1a766b83cd07c
Opcode Fuzzy Hash: 7b628c4ac63fec50c470f0b26028a05674579d61d91a5fa8069c2425da780bb5
Instruction Fuzzy Hash: 3421B272500304AFEB22DF65CC44FABBBECFF04214F04886AE9458BA51D734E5198BA1

Function 0151A50F Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNELBASE(?,00000E24,?,?), ref: 0151A5B1

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: 5c18420fdba3d1d0de972877decc3abf72ea092d2497ef0f0a54992ecb8346e1
Instruction ID: fd09a8a37db5abc00f26e599d84a5ff54c1418fe45856b7f3374a8d859d3d5a5
Opcode Fuzzy Hash: 5c18420fdba3d1d0de972877decc3abf72ea092d2497ef0f0a54992ecb8346e1
Instruction Fuzzy Hash: 8B21837550D3806FD3138B25CC51B62BFB8EF87614F0A81DBE8849F693D624A919C7B2

Function 0151AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 0151ADA7

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9f7bcce7c7385f95459de66a8f66a0d5241f2492036ac2c931afc62050362f37
Instruction ID: 2aa6e8116a30c98b3e082d061e0a675a3a9bcd284b2beac7e34fa475f76f5f64
Opcode Fuzzy Hash: 9f7bcce7c7385f95459de66a8f66a0d5241f2492036ac2c931afc62050362f37
Instruction Fuzzy Hash: 8921B272500704AFEB22CF65CD44FABFBECEF04224F04886AE945CBA55D734E5198B61

Function 0151A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,3EA70D49,00000000,00000000,00000000,00000000), ref: 0151A8DE

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: fcd699f6a9262cf113337a73ce28128ba27966e67df30cbcb412050246a8640d
Instruction ID: f9821019c5581034ba03960100514f720aa4e16a0e5b10cc35b824f610f3b2c2
Opcode Fuzzy Hash: fcd699f6a9262cf113337a73ce28128ba27966e67df30cbcb412050246a8640d
Instruction Fuzzy Hash: 2F21C4754093806FE7238B54DC44FA6BFB8EF46714F0888EAE9848F553C234A909C771

Function 0151A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,3EA70D49,00000000,00000000,00000000,00000000), ref: 0151A9C1

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1d1f558766904599decabce1e2b35a03cb914aaf00608b4c347fb9ff215f76b9
Instruction ID: a0d1e4adcaac7fde4dfcc77281ff1ea00f308d68754aee40d5045ddd3d4d5984
Opcode Fuzzy Hash: 1d1f558766904599decabce1e2b35a03cb914aaf00608b4c347fb9ff215f76b9
Instruction Fuzzy Hash: 1221A171409380AFDB22CF55CD44F96BFB8EF06214F08889AE9848F652C375A909CBA1

Function 0151A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0151A67D

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 81679c53fc7a61d7a5a7825046bafb6819d8cd2e9a53d03b660052cdb76fc333
Instruction ID: 4e89d3b4cb9eb01acab86e72cb708d72f2a1fd069b39914440de53cdf5e10259
Opcode Fuzzy Hash: 81679c53fc7a61d7a5a7825046bafb6819d8cd2e9a53d03b660052cdb76fc333
Instruction Fuzzy Hash: 6F21AE71A01240AFE722CF69DD85F66FBE8FF08214F048869E9458B656D375E408CB61

Function 0151A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,3EA70D49,00000000,00000000,00000000,00000000), ref: 0151A815

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: f4bc0e5dc7faee1743872d2e58c5e949878f1e11f4af42b2f2867f99991ccbf8
Instruction ID: 34f5d4cc8f84a019dcfcd778d1b9d02bc6c793d8ca19d53997cfeebea0be1b28
Opcode Fuzzy Hash: f4bc0e5dc7faee1743872d2e58c5e949878f1e11f4af42b2f2867f99991ccbf8
Instruction Fuzzy Hash: 7121F6B54093806FE7238B159C40BA6BFB8EF46714F0884D6ED848F653D268AD09C771

Function 0151AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0151AA8B

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 2200cbf9e3986de65edbda5388b4997cc66d2955a69e933e46d62c7ec1889577
Instruction ID: ce07792e34c5b00ee0da2f909e3099e93d6cd55bab562c3ed3bdaa90be895dca
Opcode Fuzzy Hash: 2200cbf9e3986de65edbda5388b4997cc66d2955a69e933e46d62c7ec1889577
Instruction Fuzzy Hash: 5821CF725093C05FEB13CB69DC55B96BFE8AF02214F0D84EAE884CF253D264D909CB61

Function 0151A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,3EA70D49,00000000,00000000,00000000,00000000), ref: 0151A40C

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7fd94f9a22ebb3114722739997e2274aa73ecdde5630bfe2b2596235daeca555
Instruction ID: b7cfb6ebb71ec97230623885d0f6f3beb579638b13488cf1289ec372781fc7bd
Opcode Fuzzy Hash: 7fd94f9a22ebb3114722739997e2274aa73ecdde5630bfe2b2596235daeca555
Instruction Fuzzy Hash: 9921AE756013409FE732CE19CD84FAAF7ECEF04610F04C86AE9458B652D7B4E809CA71

Function 0151A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,3EA70D49,00000000,00000000,00000000,00000000), ref: 0151A9C1

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 737dbee6901b6d68e89362a70c404384cbc1a21570f26f5ba449d8cf943a636a
Instruction ID: b20fd117654ec25ec0b1abd6f63fd71b139344fd17a4b05738954961d8c702d7
Opcode Fuzzy Hash: 737dbee6901b6d68e89362a70c404384cbc1a21570f26f5ba449d8cf943a636a
Instruction Fuzzy Hash: 6B11D076401240AFEB22CF55CD84FAAFBE8EF04624F04886AE9458F641C378A448CBA1

Function 0151A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,3EA70D49,00000000,00000000,00000000,00000000), ref: 0151A8DE

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 05094a3783f694ec88b5aef74df151c0288bb83a58fa9dc7ac49e6c18a9dec28
Instruction ID: 6076bf49274837c5ca6c9bb72c5b1292ecd972d5372ac814f2b4341977fd1c3a
Opcode Fuzzy Hash: 05094a3783f694ec88b5aef74df151c0288bb83a58fa9dc7ac49e6c18a9dec28
Instruction Fuzzy Hash: 5E110475401340AFEB22CF58CD44BAAF7E8EF04724F04C86AED448F645C338A5098BB1

Function 0151A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0151A30C

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 6fa5469031d09ec52967eaed7c678d4ccdad1044c829083d1c143c6b024b6b1b
Instruction ID: d063450c027d427993bec4a122d147f22d373a7f0ea693010e8fe83f537872e9
Opcode Fuzzy Hash: 6fa5469031d09ec52967eaed7c678d4ccdad1044c829083d1c143c6b024b6b1b
Instruction Fuzzy Hash: B81191754093C09FD7238B25DC94A56BFB4EF07220F0980DBDD848F663D265A809CB62

Function 0151A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,3EA70D49,00000000,00000000,00000000,00000000), ref: 0151A815

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: af85de2ef11fc9efdd7d2b62ed30b7fb989671f1c52ea3da21f974c24c39a4db
Instruction ID: a10126821f2092fb01bee52a30ecd9645cb31468d207d4454c63a7c1d4e225f8
Opcode Fuzzy Hash: af85de2ef11fc9efdd7d2b62ed30b7fb989671f1c52ea3da21f974c24c39a4db
Instruction Fuzzy Hash: 06012675501340AEE722CB19CD84BAAF7E8EF04624F04C4A6ED048F742D778E8098AB5

Function 0151AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0151AA8B

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 4a42a105828fd934643f5c0dd3757cf04aa728e07a7782f37fb412e8532ac913
Instruction ID: 65e21c85361ccf7bcac107bbb6efd175d6aa324d12287c89a0a8b2ffd04678bf
Opcode Fuzzy Hash: 4a42a105828fd934643f5c0dd3757cf04aa728e07a7782f37fb412e8532ac913
Instruction Fuzzy Hash: 7F1152766012409FFB12CF59D984B56FBD8EF04610F08C8AADD49CF64AD675E504CA61

Function 0151AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0151AFE4

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 0678a19a0488096568ab86bdefabff065751f43c7c73386aa796b28e7d55e366
Instruction ID: 53a740de1bbf9a569e67deb87b347a6d5cacb919d02734fa7e4370a6c8c20f23
Opcode Fuzzy Hash: 0678a19a0488096568ab86bdefabff065751f43c7c73386aa796b28e7d55e366
Instruction Fuzzy Hash: C311A0755093C09FD7128B25DC85B56FFF4EF06220F0984DAED858F663D278A808DB61

Function 0151B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0151B208

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 6b0da58453e83d0946e6284e6d30991a08ab6e157e883860e7378dde718068ef
Instruction ID: 47a09547b8f4d29441eac079e6eac3c76e062f7a1e8a4cddd7ae217c84e48148
Opcode Fuzzy Hash: 6b0da58453e83d0946e6284e6d30991a08ab6e157e883860e7378dde718068ef
Instruction Fuzzy Hash: 101170754093809FDB12CF15DC84B56FFB4EF46224F0884DAED848F653D275A908CB62

Function 0151A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0151A1C2

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 32c169325ee91ae165dbe6d77fce24eaaae480c3eb5d532641dae8146c8b6a19
Instruction ID: 334baa4c627fc1659726429383c7ee90940ce909980eba8ca5a9761a82d6839e
Opcode Fuzzy Hash: 32c169325ee91ae165dbe6d77fce24eaaae480c3eb5d532641dae8146c8b6a19
Instruction Fuzzy Hash: 20015E75500200ABD210DF16DD86B66FBA8FB88A20F14856AED089B741D735F915CBA5

Function 0151ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0151AC36

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 278a9b5f10ff0010b2f83c851ad1be670c3fac525e0f559b36083ab008d63cf7
Instruction ID: ce8f0143902899e3b8098633701d050f095b3277b112731e072d08fd78dc2e5a
Opcode Fuzzy Hash: 278a9b5f10ff0010b2f83c851ad1be670c3fac525e0f559b36083ab008d63cf7
Instruction Fuzzy Hash: B5019E75500200ABD210DF16CD86B66FBA8FB88A20F14856AEC089B741D731F915CBA5

Function 0151A566 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetTempPathW.KERNELBASE(?,00000E24,?,?), ref: 0151A5B1

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: bf6cfe2b1dce807206d3001d8fbc72009ec8d37742dcd9eff715dba208997e90
Instruction ID: 82bf676d291becf2574cc1ddfde777a32a6ed4178f9d1146f0a84bb184f1d94d
Opcode Fuzzy Hash: bf6cfe2b1dce807206d3001d8fbc72009ec8d37742dcd9eff715dba208997e90
Instruction Fuzzy Hash: E101A275500200ABD210DF1ACD86B66FBE8FF88A20F148159EC089BB41D735F916CBE5

Function 0151AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0151AFE4

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: f0f24f537ea004f4d35dd67c0dbe6f55f38e2ca1a9e7cfb2eaaa53f4ff5158a0
Instruction ID: 53858fda4078ed0b0c3cd3ffdd1c0290a95a834b26b05fcfba5893f5c31fc09a
Opcode Fuzzy Hash: f0f24f537ea004f4d35dd67c0dbe6f55f38e2ca1a9e7cfb2eaaa53f4ff5158a0
Instruction Fuzzy Hash: D901F9795012408FEB22CF19D984766FBE4FF04220F08C4AADD154FB56D679E448DEA1

Function 0151A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0151A30C

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: f6630a90217c304a7be818a0d87b783dbda19a162964cd7b790b4bff72860812
Instruction ID: 66ac406aa84ef4fa2d77b31b33de2a9fcb15876f25be0d45ece45a0abe40bb8c
Opcode Fuzzy Hash: f6630a90217c304a7be818a0d87b783dbda19a162964cd7b790b4bff72860812
Instruction Fuzzy Hash: 70F0C835505280CFEB22CF09D984766FBE0EF04624F08C4AADD094F756D3B9E408CEA2

Function 019B0C99 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

KMH, xrefs: 019B0D6E, 019B0D73

Memory Dump Source

Source File: 00000006.00000002.3742064239.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_19b0000_unarchiver.jbxd

Similarity

API ID:
String ID: KMH
API String ID: 0-1782619069
Opcode ID: 7913f486158959fe2776761f1b3502121711aaa0dc4db5e52f85194e3405dd64
Instruction ID: c5dfee764fbabac93d059daa2410ec67a0f09b9454437d7f32ba1c0d7d96d891
Opcode Fuzzy Hash: 7913f486158959fe2776761f1b3502121711aaa0dc4db5e52f85194e3405dd64
Instruction Fuzzy Hash: D6210730B002104BDB25EB3988416AE7AE6AFC5604F44852CE04ADB780DB7D9D068796

Function 019B0CA8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

KMH, xrefs: 019B0D6E, 019B0D73

Memory Dump Source

Source File: 00000006.00000002.3742064239.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_19b0000_unarchiver.jbxd

Similarity

API ID:
String ID: KMH
API String ID: 0-1782619069
Opcode ID: da7bc5ae2d9d08cbbb94073e23794e5da22e8b40d3d42a8f107998b0d6c1df2d
Instruction ID: 619bd6648e05d001dee0189491a2461f3a387b260ed374363b2f29ba7fd46393
Opcode Fuzzy Hash: da7bc5ae2d9d08cbbb94073e23794e5da22e8b40d3d42a8f107998b0d6c1df2d
Instruction Fuzzy Hash: 8521E730B007148BDB25EB3985416AFB7E7AFC5608F54882CD08ADB780DF7DA90687D5

Function 0151A6D4 Relevance: 1.3, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0151A748

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 27493c54dfe8667ae4a5002c5cfaff40c7b061ad818a33bbe5ef4c3491ca259c
Instruction ID: 2f378322eb9ff8e18617d628a0bbdb7893c72653ceeda10c44819f05f7a75750
Opcode Fuzzy Hash: 27493c54dfe8667ae4a5002c5cfaff40c7b061ad818a33bbe5ef4c3491ca259c
Instruction Fuzzy Hash: E821A1B59097C09FD7138B29DC94756BFB4EF06320F0984DBDC858F6A3D224A908C762

Function 0151A716 Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0151A748

Memory Dump Source

Source File: 00000006.00000002.3741157848.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151a000_unarchiver.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c8f4134679ec1db494947d3cbad2b44d7d9c396540c5f6a8216b6730001268b3
Instruction ID: 604e5ba5217c5f840f88a0b9c637483cdf999e50bb8efe88bfca30a8d35076d2
Opcode Fuzzy Hash: c8f4134679ec1db494947d3cbad2b44d7d9c396540c5f6a8216b6730001268b3
Instruction Fuzzy Hash: A801A7759013408FEB12CF19D985756FBE4EF04224F08C4BADD0A8F756D679E948CEA1

Function 019B02C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3742064239.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_19b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ff9d5ed51e1bc28355dfcdd2570ff1f36dffe66030299bce031cc83c30d7b6
Instruction ID: 1d9587c7205334600fc74184500b30a0b8135d7944c433a466885ffd4defd63a
Opcode Fuzzy Hash: 52ff9d5ed51e1bc28355dfcdd2570ff1f36dffe66030299bce031cc83c30d7b6
Instruction Fuzzy Hash: FBB14F39601100CFC724DF65E994A5A7BB6FF89241F158268F90AAB364DB3C9C09EF90

Function 019B0799 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3742064239.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_19b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2626887c6e1b4f8fdd77b0ed38519e6962ba786d55acddf1524060c7a3bb6479
Instruction ID: bb3ecd624426cc18480f4de47e6d53ddba4e873220d9840b1b009a02c05fa40e
Opcode Fuzzy Hash: 2626887c6e1b4f8fdd77b0ed38519e6962ba786d55acddf1524060c7a3bb6479
Instruction Fuzzy Hash: 6DA19030B002018BDB19DBB8D5557AE77B7FB88308F248469E906AB7A4DF7C9C06DB51

Function 019B0B8F Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3742064239.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_19b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a529746f88c930d4635ea09b849cb3bd56a25158f40c95e5801e4c42cfbac76c
Instruction ID: 1bb3ed0d73e21adf31d7eb102785a00da7414ff0f06b703d0a9e5471fee727fc
Opcode Fuzzy Hash: a529746f88c930d4635ea09b849cb3bd56a25158f40c95e5801e4c42cfbac76c
Instruction Fuzzy Hash: 1B11AF31A50218AFCB44DBB4E845CDF77F6FB89214B15817DE505A7260DB39AC0A8780

Function 019B0BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3742064239.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_19b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c6217e8d057f8dee6e49e0e6a0b4427f3f024ff35a785dccf0852a0411446b6
Instruction ID: 6e1c7ac6ed5b45ea4f15132b2532d6c86cb909f55830c93dac28cd0273b0dd1e
Opcode Fuzzy Hash: 5c6217e8d057f8dee6e49e0e6a0b4427f3f024ff35a785dccf0852a0411446b6
Instruction Fuzzy Hash: AE118F31A10218AF8B04DBB4D84599E77F6FB88214B154579E605E7270EB79AC0AD7C0

Function 01560808 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3741499929.0000000001560000.00000040.00000020.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1560000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d92be4c4e9007fa9f7b1685c1fcba5126203fb6ed130d16e61c9ebf4e06e11
Instruction ID: 0382109f95aedfbdf9b45820505c2dd5467345667d201e39a72bc3f7aff6e512
Opcode Fuzzy Hash: 53d92be4c4e9007fa9f7b1685c1fcba5126203fb6ed130d16e61c9ebf4e06e11
Instruction Fuzzy Hash: EA01D4B64093406FC301CB05AC41C56BFF8EF82520F0884AEEC488B602D265A918CBE6

Function 015605E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3741499929.0000000001560000.00000040.00000020.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1560000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32fad28dee417bce924ef0308b5f489c705c2dee02570c9be72e9f9ef8c0186a
Instruction ID: 1b3cd690f7c584e0486d503040184ed8de2a958cc5e65b66390a31183d9f521c
Opcode Fuzzy Hash: 32fad28dee417bce924ef0308b5f489c705c2dee02570c9be72e9f9ef8c0186a
Instruction Fuzzy Hash: 4CF086B65093805FD7118B06AC40862FFA8EF8662070984ABEC498B752D225A909CBA6

Function 0156082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3741499929.0000000001560000.00000040.00000020.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1560000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b5f0cab73d0daa2f6f3d6e613c4d51523c09dc19e84eba53521c5479d6a13d
Instruction ID: 77c4939f6980820301121f300069aa2bf9ba7b74c7ddf5999b62f615d49ae3c8
Opcode Fuzzy Hash: 15b5f0cab73d0daa2f6f3d6e613c4d51523c09dc19e84eba53521c5479d6a13d
Instruction Fuzzy Hash: BAF082B6805204AF9340DF45ED45856F7ECEF94521F08C56AEC088B701E276B9198AE6

Function 01560606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3741499929.0000000001560000.00000040.00000020.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1560000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f08077bc443ffc86d1177913304a0ee836675f564a354456d9d948b16391803
Instruction ID: 2a8c5d47cd35cb9dee422d1ae8a1de908b75c9f68ee8a36f010841b9de5db375
Opcode Fuzzy Hash: 0f08077bc443ffc86d1177913304a0ee836675f564a354456d9d948b16391803
Instruction Fuzzy Hash: 13E092BA6006004B9650CF0BEC81452F7D8EF88630B08C47FDC0D8B711D239B508CEE5

Function 019B0C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3742064239.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_19b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5165b1531776c2b97024038e416f15e39b840bbf3fd3ac05d250b4cf59b97cbb
Instruction ID: 6a693314b7f1b531e25da5b1cfb4e169c730ab496bc3f2b982c1912c25acddd5
Opcode Fuzzy Hash: 5165b1531776c2b97024038e416f15e39b840bbf3fd3ac05d250b4cf59b97cbb
Instruction Fuzzy Hash: 89E0D831F543141FCB44DEB9484159E7FE6DBC5160B51457EC008DB341EB3C88028791

Function 019B0C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3742064239.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_19b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b55e6f3aabb8101143a567d614b8d3186fbbe19766161e9e71b22c4df288d3
Instruction ID: 0805a7c966d0b080e873c2e991f97c97ee94c9041e091d4dcca80969c2baa81b
Opcode Fuzzy Hash: c9b55e6f3aabb8101143a567d614b8d3186fbbe19766161e9e71b22c4df288d3
Instruction Fuzzy Hash: 77D01231F442182B8B48DEF9584159E7AEA9B84194B64447D900DD7340FE3998018791

Function 019B0E08 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3742064239.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_19b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fef362b35861b12a42193921ddf179fa5cfd989033da611612fcfbdb86398b8
Instruction ID: cfbe8d3e827a25c758565e59f2c81b67eacf5721986d732c4415e6677c81ff11
Opcode Fuzzy Hash: 3fef362b35861b12a42193921ddf179fa5cfd989033da611612fcfbdb86398b8
Instruction Fuzzy Hash: 11E05B312803008FCB459774E5559EA7BB5ABD6324F4AC1AEB008DB971C67DDC86C710

Function 019B0DD1 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3742064239.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_19b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef909690feae4c9cb8cc9c5fed25a727cc77bd87e3300edc5550431b62758bdb
Instruction ID: 3039b2a1b27b9f17bc629328f042633736cc84cbf0f1ae888117e998b0ee83fe
Opcode Fuzzy Hash: ef909690feae4c9cb8cc9c5fed25a727cc77bd87e3300edc5550431b62758bdb
Instruction Fuzzy Hash: 7DE012301903048FCB0597B4A9569EA37B5BBC5724F4AC1A9A4084F962D76CEC85C691

Function 015123F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3741128345.0000000001512000.00000040.00000800.00020000.00000000.sdmp, Offset: 01512000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1512000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb69854ee64d2a41a6ae102e22cfde5732218c7aa3cdd1406ca7778345aeb14
Instruction ID: 126c7ac418788dba67f533183cc33f6b9ff8897e7e68ea54e24279bf3615b366
Opcode Fuzzy Hash: ceb69854ee64d2a41a6ae102e22cfde5732218c7aa3cdd1406ca7778345aeb14
Instruction Fuzzy Hash: 12D02EB9240AC04FF3238A0CC2A4B893BE4BB40704F0A04F9A800CF767C7A8E580C200

Function 015123BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3741128345.0000000001512000.00000040.00000800.00020000.00000000.sdmp, Offset: 01512000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1512000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f84b6fd08a135bc42b7b729ca2505ba3a1c1ef7a5acd5beb1f1b1ec63bd259
Instruction ID: 74768338933358a3220cf735c7c6b4d6189a4fd1c73f59de8d903d0a9f4f3f56
Opcode Fuzzy Hash: 95f84b6fd08a135bc42b7b729ca2505ba3a1c1ef7a5acd5beb1f1b1ec63bd259
Instruction Fuzzy Hash: 4CD05E342002814FE726DA0CC2D4F9D7BD4BB40714F1644E8AC108F766C7B4D8C0DA00

Function 019B0E18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3742064239.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_19b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ee2171c7e862362b8f94b0b58ae66495b1c80cbeb54b0b1dc27b482eb16068
Instruction ID: fa2104bbdb784d7a7ba556a29858b1e7d15c6b4c58595d06fc07cb93b521c120
Opcode Fuzzy Hash: 45ee2171c7e862362b8f94b0b58ae66495b1c80cbeb54b0b1dc27b482eb16068
Instruction Fuzzy Hash: B8C012302403088BCB04A778D659A6A77A967D4204F88C164650C1B261CA78FC44C784

Function 019B0DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3742064239.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_19b0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a141dccae8e5929b0c159704308f9e32cffc6bb688e46108420fd9d9ce9bc1
Instruction ID: 1438bb90d6e2e0a99eec58c8f65bea2dc2eee5df404a29c4a2e0234d0fa3cd7a
Opcode Fuzzy Hash: 62a141dccae8e5929b0c159704308f9e32cffc6bb688e46108420fd9d9ce9bc1
Instruction Fuzzy Hash: 69C012302403088BDB04A778D559A6677AA67D0604F49C164A50C1B261DA78FC44D6C4

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2293139_Files_20241007105542_2293139_Files_tutorial8_v4.0 (1).zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Static File Info

General

File Icon

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: unarchiver.exePID: 3444, Parent PID: 2592

General

Chronological Activities

Analysis Process: 7za.exePID: 7208, Parent PID: 3444

General

Chronological Activities

Analysis Process: conhost.exePID: 7216, Parent PID: 7208

General

Chronological Activities

Disassembly

Analysis Process: unarchiver.exePID: 3444, Parent PID: 2592COMMON

Execution Graph

Graph

Callgraph

Executed Functions

Function 0151B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Function 0151B246 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Windows Analysis Report
2293139_Files_20241007105542_2293139_Files_tutorial8_v4.0 (1).zip

Function 0151B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 0151AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0151AB76 Relevance: 1.6, APIs: 1, Instructions: 92
pipeCOMMON

Function 0151A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Function 0151A120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Function 0151A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Function 0151B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0151A50F Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0151AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0151A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Function 0151A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Function 0151A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 0151A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Function 0151AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 0151A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON